Slashdot Mirror
Google Open Sources Encrypted Email Extension For Chrome (onthewire.io)
Last week Google released E2EMail, "a Gmail client that exchanges OpenPGP mail." Google's documentation promises that "Any email sent from the app is also automatically signed and encrypted... The target is a simple user experience -- install app, approve permissions, start reading or send sending messages." Trailrunner7 quotes On The Wire:
People have been trying to find a replacement for PGP almost since the day it was released, and with limited success. Encrypted email is still difficult to use and painful to implement in most cases, but Google has just released a Chrome plugin designed to address those problems.
The new E2EMail extension doesn't turn a user's Gmail inbox into an encrypted mail client. Rather, it is a replacement that gives users a separate inbox for encrypted messages. The system is built on Google's end-to-end encryption library, and the company has released E2EMail as an open-source project.
Wired quotes a web security researcher who calls the open sourcing "a telltale sign the project isn't going anywhere. This is a way for them to get their work out there but to absolve themselves of future obligations." But Google's privacy and security product manager responds that they're tackling some very thorny issues like secure key handling, and "The reason we want to put this into the open source community is precisely because everyone cares about this so much. We don't want everyone waiting for Google to get something done."
Wired quotes a web security researcher who calls the open sourcing "a telltale sign the project isn't going anywhere. This is a way for them to get their work out there but to absolve themselves of future obligations." But Google's privacy and security product manager responds that they're tackling some very thorny issues like secure key handling, and "The reason we want to put this into the open source community is precisely because everyone cares about this so much. We don't want everyone waiting for Google to get something done."
Having a plugin is nice, but it doesn't solve the PKI (key distribution and reputation) problem, and I am not very inclined to trust a plugin made by a company whose primary line of business is advertising by building user profiles.
How about support for SMIME ?
It would be nice if they supported DANE so that all the keys where looked up automatically!
Why not ?
John
People have been trying to find a replacement for PGP almost since the day it was released
I've been around since PGP first popularized public key email and while there have been various problems with Zimmerman's implementation from time to time (as with S/MIME since)... I do not recall any broad opposition to it or GnuPG... besides intelligence agencies who would be satisfied with nothing less than outlawing non-escrow encryption. We were in fact excited and intrigued by it, and it was fun to use even if you weren't paranoid. This must be a dispatch from the Millennial Alternate Universe where or any project emitted by Microsoft or promised by Google or announced in a press release is considered to be a vast improvement on what came before it.
End-To-End Encryption implemented solely in Javascript which is served up by the company that's not supposed to be spying on you is not worth the paper it's printed on. And Key Transparency is a fancy way of saying, use our single point of failure Internet Gizmo 'solution' to handle key management so you don't have to think about insurmountable issues of trust, as were directly addressed in Zimmerman's day (key signing parties, etc.).
<blink>down the rabbit hole</blink>