Six Clicks: Encryption for your webmail

Six Clicks: Encryption for your webmail

Summary: Those who want maximum privacy for their email have a tough time using difficult software. Google is attempting to do better with Gmail, but there's already a decent webmail solution.


 |  Image 1 of 7

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • So you want maximum security for your email...

    It shouldn't have been any surprise at all, but Edward Snowden's leaks of NSA information have raised awareness of the fact that our data in public clouds, like Gmail, is not entirely private. The government can get a warrant for it and the cloud company can (make that "has to") give them access to all your data. Or they can spy on the internal communications of the cloud provider and not bother with the warrant.

    So what can you do? For a very long time you've been able to use PGP (Pretty Good Privacy) and similar software to make encryption end-to-end, so that only you and the person with the right encryption key can see the contents. Everyone else only sees "ciphertext" which is only crackable with an inordinate amount of time and computing resources.

    Yesterday Google announced a new development effort to make the use of strong, end-to-end encryption in Gmail easier to use. It's called "End-To-End" and, for now, it's just an alpha-stage programming project. It's written as a Chrome extension that uses OpenPGP.js, an open source OpenPGP implementation written in JavaScript, to run the encryption/decryption on the local computer inside the browser.

    PGP has always been the gold standard for privacy in email, but notorious for poor usability. The idea of End-To-End is that by implementing PGP inside Chrome, it can be made easier to use.

    One big usability barrier for PGP is that it relies on a trust model called the "web of trust," illustrated here. Everyone has to trust people specifically and keep track of who they trust and what their keys are, although they can make trust transitive by signing someone else's key: If Alice signs Bob's key, they anyone who trusts Alice will trust Bob.

    If this sounds complicated, that's because it is. Can Google make it easy? If not, it may not matter.

    (Image courtesy GnuTLS)

    Previously on Six Clicks:

    Six Clicks: How do you keep track of all your passwords?

    Six clicks: How hackers use employees to break through security

    Six clicks: Weird tricks that will actually make you happier with Windows 8.1

    Six clicks: Microsoft OneDrive tricks that make it easy

    Six clicks: Simple and time-saving Google search tricks















  • Mailvelope: What Google aspires to build?

    Amazingly (or not), someone has already built the system that Google is planning to build, and it's not just for Chrome and Gmail.

    Mailvelope is a webmail implementation of OpenPGP which uses the same OpenPGP.js library as End-To-End. It is written by Thomas Oberndorfer and is open source. Oberndorfer tells me that the idea goes back to FireGPG, a Firefox extension project, since discontinued, to implement GPG (GnuPG, for GNU Privacy Guard, another OpenPGP implementation) in the browser.

    Mailvelope is available now and works with GmailOutlook.comYahoo! Mail and GMX. It is available as a Chrome extension or Firefox add-in.

    Mailvelope integrates into these webmail user interfaces, but it has to be careful how it does so. It can't let the servers gain access to unencrypted data, so it launches its own UI in which the user composes and/or edits email, picks the recipients and encrypts (or merely signs) the message.

    (Image Mailvelope)

Topics: Security, Government, Government US, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Encrypt Attachments?

    From what I've Googled, it doesn't appear Mailvelope encrypts attachments (am I wrong?).

    I therefore resort to using TBird and the Enigmail add-on.

    Thanks (and I enjoy your columns),
    • Encrypt Attachments

      Just received (unencrypted!) email from developer - encryption of attachments not supported.