We have looked at Mailvelope before, a free browser extension that allows secure end-to-end email encryption using your favorite browser-based webmail service, including Gmail (other similar extensions also exist).
Well, in its fight-back against the NSA, Google has now released the open source code for the alpha version a Chrome browser plugin that will provide a very similar form of end-to-end email encryption when using the Gmail service.
Like Mailvelope, the new extension (which is not yet available to the general public) uses the open source implementation of PGP, OpenPGP, to securely encrypt an email on a user’s desktop, so that it can only be decrypted by the intended recipient with the correct private key.
This is a great move by Google, because although the new extension appears to offer nothing that Mailvelope and the like already offer, the fact that it has Google’s weight is behind it may lead to more widespread adoption.
There are problems however. Although the most secure way to send emails yet devised, PGP is fiddly to use (especially for the non-tech-savvy), and because Google has stated that it will not keep private keys on its servers, there is no way to recover lost private keys (something the general public may finds difficult to accept). Getting the implementation entirely secure may also prove to be difficult.
In addition to this, Google’s revenue is largely based on scanning users’ emails to that it can deliver targeted advertising, something encrypting emails’ contents will prevent.
All of which makes it unlikely that Google will push for widespread adoption of it extension, but the fact that it is developing such technology is encouraging.
A bigger (and unfixable) problem is that that email is itself insecure. Even with proper implementation (always a weak point), PGP only encrypts the contents of an email (and we know all know how dangerous metadata can be). Until email is replaced by a ground-up privacy based alternative (as Darkmail promises it will be, even though it has released no source code yet) encrypted Instant Message systems provide greater communications privacy.