The ongoing struggle to provide encrypted email solutions that aren’t on a PGP level of complexity and difficulty is a real challenge.Google’s attempt
The ongoing struggle to provide encrypted email solutions that aren’t on a PGP level of complexity and difficulty is a real challenge.
Google’s attempt at it, called E2EMail, was introduced more than a year ago as an effort to give users a Chrome app that allows for the simple exchange of private emails. On Friday, Google cut it loose to open source.
The project integrates OpenPGP into Gmail via a Chrome extension. KB Sriram, Eduardo Vela Nava, and Stephan Somogyi, of Google’s security and privacy engineering teams, said that engineers have been contributing to the code from inside and out of Google during the past year. They point out that E2EMail targets non-technical users without the need to run an email or OpenPGP client.
“It is a Chrome app that runs independent of the normal Gmail web interface. It behaves as a sandbox where you can only read or write encrypted email, but is otherwise similar to any other communication app,” Google said. “When launched, the app shows just the encrypted mail in the user’s Gmail account. Any email sent from the app is also automatically signed and encrypted.”
Early versions are text-only, and support only PGP/MIME messages.
“The goal is to improve data confidentiality for occasional small, sensitive messages. This way even the mail provider, Google in the case of Gmail, is unable to extract the message content,” Google said. “However, it does not protect against attacks on the local device, and, as usual with PGP, the identities of the correspondents and the subject line of the mail is not protected.”
E2EMail for now uses its own keyserver, but will eventually rely on Google’s recent Key Transparency initiative for cryptographic key lookups, addressing a usability challenge hampering mainstream adoption of OpenPGP. Last month, Google released Key Transparency to open source with the aim of simplifying public key lookups at Internet scale. Google singled out secure messaging systems as one beneficiary of the system, a directory developers could use when building apps to find public keys associated with an account along with a public audit log of any key changes.
“Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP,” Google said.
Google explained that during installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine.
“The target is a simple user experience – install app, approve permissions, start reading or send sending messages. As a result, the app automatically handles most of the key management,” Google said.