Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/4/2014
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Google Adds Chrome Encryption Option For Webmail

An end-to-end encryption test module for Chrome is available now.

Google is now offering a plug-in called End-to-End for the Chrome browser -- in alpha test -- that lets users encrypt their web email messages.

The new End-to-End Chrome extension encrypts, decrypts, digitally signs, and verifies signed messages within the browser using OpenPGP. Google has released the source code for the alpha version of the plug-in, which is built on a new JavaScript-based crypto library.

"'End-to-end' encryption means data leaving your browser will be encrypted until the message's intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser," Stephan Somogyi, product manager for security and privacy at Google, said in a blog post late yesterday.

The goal is to make end-to-end encryption a little more user-friendly and accessible, according to Somogyi. The extension is not yet available in the Chrome Web Store. Google wants it to undergo some community testing and vulnerability research before releasing a final version.

The new Chrome extension answers privacy critics who have been calling for the search engine company to make email encryption available.

"Once we feel that the extension is ready for primetime, we'll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider," Somogyi said. "We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it."

Both the sender and the recipient would need to be using OpenPGP, says Alex McGeorge, a senior security researcher for Immunity Inc. "You still have to go through the whole process of exchanging keys," for example. "If Google put up a public PGP server for everyone on Gmail who wants one, that would be useful. Then you wouldn't have to go through the steps to trade keys."

Google didn't provide all the details on exactly how End-to-End Encryption will work. Sebastian Munoz, CEO of Realsec Inc., says there are still some unanswered questions about the Chrome extension, such as where the encryption keys will be stored and how they will be secured. "From the perspective of Google, the keys should be safely stored on certified HSMs. From the end user's point of view, a certified token or smart card should be used to store the private keys of each person."

Just how secure the extension will be also is unclear, McGeorge says. "JavaScript and crypto have typically been incompatible. A lot has to do with getting good randomness. That is super important for PGP."

However, Google engineers have publicly acknowledged that issue in the past, and they have been working on it. As a matter of fact, Google directly addresses the issue in the FAQ on End-to-End:

    Implementing crypto in JavaScript is considered heretical by some. When we started work on End-To-End, there was no JavaScript crypto library that met our needs, so we built our own. During development we took into consideration all the criticisms and risks that we are aware of, and invested effort to mitigate these risks as much as possible.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22390
PUBLISHED: 2021-06-21
Akaunting <= 2.0.9 is vulnerable to CSV injection in the Item name field, export function. Attackers can inject arbitrary code into the name parameter and perform code execution when the crafted file is opened.
CVE-2018-25016
PUBLISHED: 2021-06-21
Greenbone Security Assistant (GSA) before 7.0.3 and Greenbone OS (GOS) before 5.0.0 allow Host Header Injection.
CVE-2019-25047
PUBLISHED: 2021-06-21
Greenbone Security Assistant (GSA) before 8.0.2 and Greenbone OS (GOS) before 5.0.10 allow XSS during 404 URL handling in gsad.
CVE-2020-21517
PUBLISHED: 2021-06-21
Cross Site Scripting (XSS) vulnerability in MetInfo 7.0.0 via the gourl parameter in login.php.
CVE-2006-0016
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.