Slashdot Mirror
Google Announces 'End-To-End' Encryption Extension For Chrome
Nexus Unplugged (2495076) writes 'On their security blog today, Google announced a new Chrome extension called "End-To-End" intended to make browser-based encryption of messages easier for users. The extension, which was rumored to be "underway" a couple months ago, is currently in an "alpha" version and is not yet available pre-packaged or in the Chrome Web Store. It utilizes a Javascript implementation of OpenPGP, meaning that your private keys are never sent to Google. However, if you'd like to use the extension on multiple machines, its keyring is saved in localStorage, which can be encrypted with a passphrase before being synced. The extension still qualifies for Google's Vulnerability Reward Program, and joins a host of PGP-related extensions already available for Chrome.'
Google also published a report showing how much email is encrypted in transit between Gmail addresses and those from other providers.
1: Compatible with OpenPGP (except for some reasonable caveats. Not bad.)
2: Some thought in building it, not just slinging a beta for download, wise.
3: Keys stored away from where the bad code can compromise a browser... smart.
So far, this seems to be something that can be useful for one who does use PGP or gpg often.
End-To-End doesn’t trust any website's DOM or context with unencrypted data.
I think this is the most important sentence in TFA, as it shows this is a real user-side-DRM (enforcing pivacy rights) in browsers.
Yes, of course you can trust it. It offers +12 resistance against National Security Letters.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
If it's an implementation of OpenPGP, then the algorithms are very trustworthy and have been vetted repeteatedly over the long term. Since it's a Chrome extension, it will be written in Javascript, so the source should be available to verify. It will also be intercompatible with every other OpenPGP implementation, and if those are backdoored, we're all doomed anyway. The only reasonable attack vector an entity like the NSA would have (assuming the extension audits clean) would be to force google to update it to a corrupted version, which they presumably could have the power to do en masse or for individual users. I doubt that would go unnoticed for long though. And if it leads to a dramatic uptick in the adoption of secure email, IMO it's worth the risk.
If you're worried about Google itself being forced to compromise this extension, you shouldn't be using Chrome at all.
In any case, the current state of webmail is typically messages stored as plain text, transmitted over secure sockets. Encrypting the message itself is a big step forward.
Seeings as the FBI fought Phil Zimmermenn a former political activist and the writter of PGP tooth and nail in court over it I would guess that they don't have a backdoor.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
How would that help?
What would me, you, or him reading the code accomplish? I guaranty that none of us would spot an NSA level backdoor.
Open Source guarantees optimal security, if you are one of the top ten security professions on the planet and basically have enough time to write the software yourself.
Troll is not a replacement for I disagree.
At first glance, this looks like a good idea which should be encouraged and nurtured. Even if they fuck up something.
The downside is that it's pretty crazy to be doing stuff like this in a scripting language inside of a machine that downloads new versions from somewhere, at the drop of a hat, and where the machine itself (Chrome) is remotely-coercible. (In other words, point a gun at Google's head, and they will extract your key the next time you enter your passphrase.) But really I think this is a minor point! (bear with me; I know that sounds like a bombshell.)
It's good to for people to start using OpenPGP, even if they do some things wrong, and for it to get more mainstreamed. It'll get 'em familiar with the concepts (and they need to learn them all; take anything out and you have a broken system), and then some day they will graduate to the real thing (actual PGP or GnuPG, outside the vulnerable context of today's web browsers) and do things more carefully on their own time while remaining interoperable with their associates.
I know I am a dead-horse beater on this, but OpenPGP, after all these years, really is still the very best, top-notch, number one PK system we have. It's not merely good; it's right. And the applications for the WoT go far beyond merely securing communications from snooping, though it happens to be excellent that that. Three cheers for Google not inventing something gratuitously nonstandard (and therefore, probably deficient)!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It should be encrypted at all times.
Great idea. Perhaps they should call it "End-to-End" encryption and release it as a Chrome browser extension like they are talking about in this article: http://slashdot.org/story/14/06/03/2059220/google-announces-end-to-end-encryption-extension-for-chrome/
Which reports? Could you show me these reports describing close cooperation with respect to spying on people between Google and the NSA?
I think you are grossly misquoting Eric Schmidt who said words to the effect of, people have to understand the PATRIOT Act, what powers it gives the US government and how little companies can do to fight it. They can't assume they can put stuff into Google and have it be inaccessible to the US Govt. And you know what? He was dead right, wasn't he? But he got crucified by idiots like you for unemotionally stating the facts of the law. A better example of shooting the messenger is hard to find.
Which other players do you mean? If you mean, big web companies, how about:
Being the first big webmail provider to enable SSL for everyone, all the time. Being the first to develop and then open source TLS forward secrecy code (ephemeral EC Diffie Hellman), then being first to activate it. Developing the first SSL pinning implementation, and catching Iran when they tried to use a hacked CA to monitor everyone. Being first to encrypt all internal traffic, something Yahoo is planning to catch up on maybe by the end of this year. Being first to publish transparency reports. Being first to publish statistics on SMTP TLS to help shame companies into upgrading (looking at you Apple). Being first to add and activate new ciphersuites in TLS (ChaCha20 and Curve25519) to replace the horribly broken RC4. Being first to release a new, modern PGP implementation.
If you put down the Google hate I think you'll find they've done a heck of a lot and routinely raised the bar over the past few years. No, they don't collectively march themselves to jail when served with a court order but that's a failure of our governments and indirectly the people who elect them.
Ob. disclaimer: I used to work for Google, doing security related stuff. And I think my colleagues achieved the best that can be expected of them in this arena. Certainly they went well beyond what other companies were doing (nothing).