Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

2/27/2017
04:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Google's Ease-of-Use Email Encryption Project Goes Open Source

E2Email, together with open source Key Transparency project, are meant to take on the challenges that have dogged end-to-end email encryption adoption for decades.

Engineers at Google for several  years have been doing battle against the perception that end-to-end email encryption necessarily must be complex and hard to use. They've been cooking up a project called E2EMail that's designed to offer a simpler alternative to PGP for Gmail through a Chrome Extension, and now they're taking the project to the open-source community.

Google's internal security team at the firm released the extension over a year ago, and hope that going open source will advance the project and easy-to-use email encryption.

"E2EMail is built on a proven, open source Javascript crypto library developed at Google," wrote KB Sriram, Eduardo Vela Nava, and Stephan Somogyi of Google's security and privacy engineering team in an announcement on Friday. "It’s now a fully community-driven open source project, to which passionate security engineers from across the industry have already contributed." 

According to the engineers, Google initiated the project because PGP in command-line form "clumsily interoperates with Gmail" and is "too hard to use."

E2Email integrates OpenPGP in a simpler-to-use extension that keeps cleartext of the message exclusively on the client. This announcement follows close on the heels of another made last month about another open source initiative called Key Transparency, which Google believes fits hand-in-glove with E2Email.

The Google security team kicked off the Key Transparency project to tackle the challenges of discovery and distribution in OpenPGP implementations. The goal is to create an open-source and transparent directory of public keys with an ecosystem of mutually auditing directories.

"We’ve spent a lot of time working through the intricacies of making encrypted apps easy to use and in the process, realized that a generic, secure way to discover a recipient's public keys for addressing messages correctly is important," wrote Ryan Hurst and Gary Belven of Google's security and privacy team last month. "Not only would such a thing be beneficial across many applications, but nothing like this exists as a generic technology."

They explain that the manual verification required by the PGP web-of-trust model has proven over the last 20 years to be too difficult to gain widespread use. They believe that the relationships between online personas and public keys need to be automatically verifiable and publicly auditable, and that's what the Key Transparency project intends to strive for.

When it comes to email encryption, the Google security team believes that Key Transparency is "crucial" to E2Email's evolution and that's where it hopes to lead the open source efforts in the near future. Google's encouraging community participation by directing interested contributors to the E2Email repository on GitHub.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/28/2017 | 6:33:22 AM
authentication
the key to the proper use of Public Key Encryption -- lies in understanding authentication

I could send you my public key.   or you can download it from the keyservers.   key ID: 4DEA0DAD

but how would you assure yourself that you have it correct?

it's not all that hard: you need an "introducer".    this could be just a phone call or a private meeting.   or it can be done using a trusted service

this is where things get hung up though.   and it's not the fault of the public; it's the fault of the software industry -- which has not moved forward with authentication and privacy -- even though the need is critical.    Tax returns -- Forms 1040 -- would be a first rate example.

as well as "phishing" type e/mails -- which have been a principle vector for malware.     all messages should be authenticated -- so that users can drop unwanted inputs.    unfortunately there's grifters about who are very much against the idea of bringing communication under control

for the record -- Public Key Incryption -- GPG/PGP -- has been available in e/mail -- incorporated into products such as Thunderbird/ENIGMAIL -- for a good many years now.    Echelon and CLAWS also incorporate GPG; too you can incorporate Symantec PGP/Desktop into MSFT/Outlook.

so what Google wants to do here isn't new.   it's Past Due.
Richard_ABT
50%
50%
Richard_ABT,
User Rank: Author
2/28/2017 | 12:23:54 AM
Will it be enough?
I've been trying to get friends and family to encrypt messages for years - with little to no success. Will this be enough to get people to start? I'm hopeful, but doubtful. I think it's going to fall upon all of us to make it even more seamless and invisible to the 'regular' end user. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8344
PUBLISHED: 2020-09-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-8347
PUBLISHED: 2020-09-24
A reflective cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's browser if a crafted url is visited, possibly through phishing.
CVE-2020-8348
PUBLISHED: 2020-09-24
A DOM-based cross-site scripting (XSS) vulnerability was reported in Lenovo Enterprise Network Disk prior to version 6.1 patch 6 hotfix 4 that could allow execution of code in an authenticated user's current browser session if a crafted url is visited, possibly through phishing.
CVE-2020-15850
PUBLISHED: 2020-09-24
Insecure permissions in Nakivo Backup & Replication Director version 9.4.0.r43656 on Linux allow local users to access the Nakivo Director web interface and gain root privileges. This occurs because the database containing the users of the web application and the password-recovery secret value i...
CVE-2020-15851
PUBLISHED: 2020-09-24
Lack of access control in Nakivo Backup & Replication Transporter version 9.4.0.r43656 allows remote users to access unencrypted backup repositories and the Nakivo Controller configuration via a network accessible transporter service. It is also possible to create or delete backup repositories.