Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Encryption Google Open Source The Internet

Google Open Sources Encrypted Email Extension For Chrome (onthewire.io) 44

Last week Google released E2EMail, "a Gmail client that exchanges OpenPGP mail." Google's documentation promises that "Any email sent from the app is also automatically signed and encrypted... The target is a simple user experience -- install app, approve permissions, start reading or send sending messages." Trailrunner7 quotes On The Wire: People have been trying to find a replacement for PGP almost since the day it was released, and with limited success. Encrypted email is still difficult to use and painful to implement in most cases, but Google has just released a Chrome plugin designed to address those problems. The new E2EMail extension doesn't turn a user's Gmail inbox into an encrypted mail client. Rather, it is a replacement that gives users a separate inbox for encrypted messages. The system is built on Google's end-to-end encryption library, and the company has released E2EMail as an open-source project.
Wired quotes a web security researcher who calls the open sourcing "a telltale sign the project isn't going anywhere. This is a way for them to get their work out there but to absolve themselves of future obligations." But Google's privacy and security product manager responds that they're tackling some very thorny issues like secure key handling, and "The reason we want to put this into the open source community is precisely because everyone cares about this so much. We don't want everyone waiting for Google to get something done."
This discussion has been archived. No new comments can be posted.

Google Open Sources Encrypted Email Extension For Chrome

Comments Filter:
  • encrypted email provide privacy! We have to work on this
  • by Entrope ( 68843 ) on Saturday March 04, 2017 @12:58PM (#53976027) Homepage

    Having a plugin is nice, but it doesn't solve the PKI (key distribution and reputation) problem, and I am not very inclined to trust a plugin made by a company whose primary line of business is advertising by building user profiles.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Having a plugin is nice, but it doesn't solve the PKI (key distribution and reputation) problem,

      RTFA. They've provided a keyserver based on OAuth and a "trust on first use / warn on change" local cache. It solves the problem better than traditional PGP, albeit with less (nonfunctional) kool aid.

      and I am not very inclined to trust a plugin made by a company whose primary line of business is advertising by building user profiles.

      Then read the source, or expect others to do so and destroy Google's reputation if there are backdoors. The alternatives to the plugin are written by anyone who can send a pull request, ie. NSA. The fact that Google has some reputation to lose puts the situation above average, same as with Chrome. Either w

    • by geek ( 5680 )

      Having a plugin is nice, but it doesn't solve the PKI (key distribution and reputation) problem, and I am not very inclined to trust a plugin made by a company whose primary line of business is advertising by building user profiles.

      What does PKI have to do with OpenPGP? Its fucking open source, why do you care who makes it if its open and you can see whether its spying on you?

      • Adam wants to send a message to Betty without anyone being able to snoop on it. Eve wants to snoop, for example by tricking Adam into thinking Eve's key belongs to Betty, or keeping Betty from reporting that get key changed due to a compromise. PKI is how you keep Eve from being able to fool with keys.

        • by geek ( 5680 )

          Thats not PKI. PKI is Public Key Infrastructure, as in certificate managers and issuers. You're point is juvenile and underlays your ignorance on the topic.

          • by Entrope ( 68843 )

            Wikipedia [wikipedia.org] agrees with me that a WoT is one form of PKI, and the published verification and trust statements that make up the WoT work as certificates of the associated public keys.

            You have an unreasonably constrained view of what qualifies as a PKI. A PKI is merely something that helps users reliably identify the public keys that are used by particular other users. Google's system here does not solve the PKI problem because it really only associates the public keys with an account, not with the end user,

    • by Zemran ( 3101 )
      Despite the trolls, I agree with you. Google do not have a reputation to lose as it is already lost. They are world famous for reading your mail and selling the content to their advertisers. They are exactly the people I want a good encrypted mail system to avoid. At best this just encourages more people to use to Google who they believe will not use encryption for the majority of their mail and will therefore provide more mail for Google to read and sell. You are not the customer to Google, you are th
  • SMIME and DANE ? (Score:4, Insightful)

    by johnjones ( 14274 ) on Saturday March 04, 2017 @01:01PM (#53976043) Homepage Journal

    How about support for SMIME ?

    It would be nice if they supported DANE so that all the keys where looked up automatically!

    Why not ?

    John

  • I hate DRM as much as anyone but lets face it, if he did not ratify it into the standard, DRM isn't just gonna magically go away.
    The only effect not ratifying it would actually have is to ensure the continued existence of a fragmented mess of multiple different actual implementations across different sites.

  • So why is e2email by e2email-org and not by Google?
  • by TheRealHocusLocus ( 2319802 ) on Saturday March 04, 2017 @01:28PM (#53976173)

    People have been trying to find a replacement for PGP almost since the day it was released

    I've been around since PGP first popularized public key email and while there have been various problems with Zimmerman's implementation from time to time (as with S/MIME since)... I do not recall any broad opposition to it or GnuPG... besides intelligence agencies who would be satisfied with nothing less than outlawing non-escrow encryption. We were in fact excited and intrigued by it, and it was fun to use even if you weren't paranoid. This must be a dispatch from the Millennial Alternate Universe where or any project emitted by Microsoft or promised by Google or announced in a press release is considered to be a vast improvement on what came before it.

    End-To-End Encryption implemented solely in Javascript which is served up by the company that's not supposed to be spying on you is not worth the paper it's printed on. And Key Transparency is a fancy way of saying, use our single point of failure Internet Gizmo 'solution' to handle key management so you don't have to think about insurmountable issues of trust, as were directly addressed in Zimmerman's day (key signing parties, etc.).

    • Sure, if you ignore X.509 and all the other PKI standards [oasis-pki.org], no one has been trying to replace PGP's key distribution and verification schemes.

      But when you look at what has actually been going on, is pretty clear that -- whether their reasons are good or bad -- lots of groups have rejected the PGP approach to public key crypto.

  • It does not scale. You can create a key for any domain with no verification - remember people tend to blindly click accept. You can create key with no expiration date, or long expiration dates - I'm sorry, but that is stupid.
  • Unlike useful applications like Picasa that Google just dumped unceremoniously without patching significant bugs like its inability to scale previews to different resolutions.

The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system.

Working...