Google this week released the alpha version of source code for End-to-End, a Chrome browser extension that encrypts email.
End-to-End uses the OpenPGP standard to encrypt, decrypt, digitally sign and verify signed messages within the browser.
“We’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it,” Google said. It will offer a bounty for bugs found, under its Vulnerability Reward Program.
Once the extension is ready for use, it will be released in the Chrome Web Store.
“PGP has shown itself over the years to be a very robust form of encryption,” Alex Watson, director of research at Websense, told TechNewsWorld. “It takes the responsibility out of the provider’s hands — if I send you a PGP-encrypted email, only you and I can read it.”
Tech Details of the Extension
End-to-End will generate Elliptic Curve-based keys. These are supported only in GnuPG 2.1 and later, as well as Symantec’s PGP software, Google said.
End-to-End supports RFC 4880, the OpenPGP Message Format, and RFC 6637, Elliptic Curve Cryptography, in OpenPGP.
Google created a “testable, modern cryptographic library” that supports BigInteger, modular arithmetic, symmetric and public-key encryption — and, of course, Elliptic Curve.
The engineers developed an OpenPGP implementation on top of the library.
End-to-End encrypts only the body of Gmail messages. The email subject line and the list of recipients remain unencrypted, as is the norm for messages encrypted with OpenPGP.
There are currently no plans to implement End-to-End on mobile devices, because Chrome on mobile devices doesn’t support extensions.
XSS vulnerabilities let attackers manipulate websites to give visitors malicious scripts that then execute on the client side when instructed by the attackers.
Both XSS and CSRF are among the top 10 Web security issues for 2013 listed by the Open Web Application Security Project.
As for XSS and related flaws, End-to-End uses Content Security Policy and inherently safe APIs in frameworks. Further, it does not trust any website’s Document Object Model or context with unencrypted data.
Calling Out Other Players
Google also this week released information on which email providers were or were not encrypting their services. Overall, 69 percent of messages from Gmail to other providers were encrypted, while 48 percent of messages coming the other way were encrypted.
That information got the Web buzzing, but a closer look at the figures may allay fears.
More than 90 percent of inbound mail from the major players — Amazon, LinkedIn, Facebook, Twitter and Yahoo — was encrypted, and so was 90 percent or more of email to SBCglobal.net, Yahoo, MSN.com, Hotmail, Craigslist and AOL.com.
Hotmail was the only major player whose inbound emails fell short, with just over 50 percent being encrypted.
“As we’ve said on the official Microsoft Blog, we’ve been working to implement increased encryption across Microsoft products and services,” Microsoft spokesperson Katherine Kerrigan told TechNewsWorld, “and are currently rolling out TLS (Transport Layer Security) in Outlook.com.”