Google this week released the alpha version of source code for End-to-End, a Chrome browser extension that encrypts email.
End-to-End uses the OpenPGP standard to encrypt, decrypt, digitally sign and verify signed messages within the browser.
“We’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it,” Google said. It will offer a bounty for bugs found, under its Vulnerability Reward Program.
Once the extension is ready for use, it will be released in the Chrome Web Store.
“PGP has shown itself over the years to be a very robust form of encryption,” Alex Watson, director of research at Websense, told TechNewsWorld. “It takes the responsibility out of the provider’s hands — if I send you a PGP-encrypted email, only you and I can read it.”
Tech Details of the Extension
End-to-End will generate Elliptic Curve-based keys. These are supported only in GnuPG 2.1 and later, as well as Symantec’s PGP software, Google said.
End-to-End supports RFC 4880, the OpenPGP Message Format, and RFC 6637, Elliptic Curve Cryptography, in OpenPGP.
The source code is built on a JavaScript crypto library developed by Google engineers.
Google created a “testable, modern cryptographic library” that supports BigInteger, modular arithmetic, symmetric and public-key encryption — and, of course, Elliptic Curve.
The engineers developed an OpenPGP implementation on top of the library.
End-to-End encrypts only the body of Gmail messages. The email subject line and the list of recipients remain unencrypted, as is the norm for messages encrypted with OpenPGP.
There are currently no plans to implement End-to-End on mobile devices, because Chrome on mobile devices doesn’t support extensions.
The Dangers of JavaScript
JavaScript is rife with vulnerabilities, one of the best-known being cross-site scripting (XSS). Exploits of this flaw are among the most common application-layer Web attacks.
XSS vulnerabilities let attackers manipulate websites to give visitors malicious scripts that then execute on the client side when instructed by the attackers.
Another JavaScript flaw enables cross-site request forgery (CSRF). A malicious website sends a request from a third website to a Web application that already has authenticated a user. This lets the attacker access functionality in a target Web application through the victim’s authenticated browser.
Both XSS and CSRF are among the top 10 Web security issues for 2013 listed by the Open Web Application Security Project.
End-to-End mitigates the risk of information leaks caused by JavaScript by requiring user interaction for private operations in normal use, Google said.
As for XSS and related flaws, End-to-End uses Content Security Policy and inherently safe APIs in frameworks. Further, it does not trust any website’s Document Object Model or context with unencrypted data.
“Google has invested a lot over the years in making JavaScript secure and is in a unique position of being able to fix some of the less optimal parts of the JavaScript code,” Websense’s Watson said.
Calling Out Other Players
Google also this week released information on which email providers were or were not encrypting their services. Overall, 69 percent of messages from Gmail to other providers were encrypted, while 48 percent of messages coming the other way were encrypted.
That information got the Web buzzing, but a closer look at the figures may allay fears.
More than 90 percent of inbound mail from the major players — Amazon, LinkedIn, Facebook, Twitter and Yahoo — was encrypted, and so was 90 percent or more of email to SBCglobal.net, Yahoo, MSN.com, Hotmail, Craigslist and AOL.com.
Hotmail was the only major player whose inbound emails fell short, with just over 50 percent being encrypted.
“As we’ve said on the official Microsoft Blog, we’ve been working to implement increased encryption across Microsoft products and services,” Microsoft spokesperson Katherine Kerrigan told TechNewsWorld, “and are currently rolling out TLS (Transport Layer Security) in Outlook.com.”