Endpoint // Privacy
6/4/2014
04:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Google Adds Chrome Encryption Option For Webmail

An end-to-end encryption test module for Chrome is available now.

Google is now offering a plug-in called End-to-End for the Chrome browser -- in alpha test -- that lets users encrypt their web email messages.

The new End-to-End Chrome extension encrypts, decrypts, digitally signs, and verifies signed messages within the browser using OpenPGP. Google has released the source code for the alpha version of the plug-in, which is built on a new JavaScript-based crypto library.

"'End-to-end' encryption means data leaving your browser will be encrypted until the message's intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser," Stephan Somogyi, product manager for security and privacy at Google, said in a blog post late yesterday.

The goal is to make end-to-end encryption a little more user-friendly and accessible, according to Somogyi. The extension is not yet available in the Chrome Web Store. Google wants it to undergo some community testing and vulnerability research before releasing a final version.

The new Chrome extension answers privacy critics who have been calling for the search engine company to make email encryption available.

"Once we feel that the extension is ready for primetime, we'll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider," Somogyi said. "We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it."

Both the sender and the recipient would need to be using OpenPGP, says Alex McGeorge, a senior security researcher for Immunity Inc. "You still have to go through the whole process of exchanging keys," for example. "If Google put up a public PGP server for everyone on Gmail who wants one, that would be useful. Then you wouldn't have to go through the steps to trade keys."

Google didn't provide all the details on exactly how End-to-End Encryption will work. Sebastian Munoz, CEO of Realsec Inc., says there are still some unanswered questions about the Chrome extension, such as where the encryption keys will be stored and how they will be secured. "From the perspective of Google, the keys should be safely stored on certified HSMs. From the end user's point of view, a certified token or smart card should be used to store the private keys of each person."

Just how secure the extension will be also is unclear, McGeorge says. "JavaScript and crypto have typically been incompatible. A lot has to do with getting good randomness. That is super important for PGP."

However, Google engineers have publicly acknowledged that issue in the past, and they have been working on it. As a matter of fact, Google directly addresses the issue in the FAQ on End-to-End:

    Implementing crypto in JavaScript is considered heretical by some. When we started work on End-To-End, there was no JavaScript crypto library that met our needs, so we built our own. During development we took into consideration all the criticisms and risks that we are aware of, and invested effort to mitigate these risks as much as possible.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.