Google is planning to beef up privacy and security options for its Chrome browser with a new feature it calls End to End; it’s a Chrome extension that will encrypt email messaging data from the browser to the intended recipient. Similarly, encrypted messages that are received will remain that way until the user decrypts them in the browser.
The idea of course is to prevent prying eyes like, say, those belonging to hackers or other interested parties, to lift message content. Google hopes that it will be especially useful for those sending very sensitive messages, such as those containing corporate data, or vertical market users worried about compliance, such as healthcare providers.
This has been tried before for web mail; but in the wake of NIST-developed encryption algorithms being called into question due to alleged weakening by the National Security Agency, encrypted email services like Silent Circle's Silent Mail have decided to shut down. Microsoft did however leap into the breach last autumn with a new version of Exchange Hosted Encryption (EHE), dubbed Office 365 Message Encryption, which will work with web clients.
There are also more IT-focused options. “While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use,” explained Stephan Somogyi, product manager for security and privacy at Google, in a blog. “To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.”
The stakes are obviously fairly high. So, the tool is in alpha release, and it hasn’t made its way to the Chrome Web Store yet; the search giant is for now just sharing the code so that the community can test and evaluate it. The company has also made it part of its Vulnerability Reward bug-bounty program.
Encryption and digital signature expert Sebastian Munoz, CEO of REALSEC, told Infosecurity that he has some concerns with the scheme out of the gate.
“The word ‘key’ is in fact the key to the whole encryption system,” he explained. “Where are those keys that will grant access to the content of the encrypted emails stored? How can Google guarantee that nobody will have access to those keys and therefore, to the encrypted content?”
From the perspective of Google, the keys should be safely stored on certified [hardware security modules],” he added. “From the end user's point of view, a certified token or smart card should be used to store the private keys of each person.”
The protocol being used, TLS (or Transport Layer Security), is an evolution of previous SSL encryption and uses standard X.509 certificates to authenticate the counterparty with whom they are communicating. Munos said that it’s a good system, but not 100% reliable because it can still be subject to man-in-the-middle attacks.
“However, the use of TLS is becoming widely adopted and it would be desirable that other email providers would include such support as well, so that the whole system could be more effective,” he said.
Google said that it plans to take its time to fully vet the feature. “Once we feel that the extension is ready for primetime, we’ll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider,” Somogyi said.