I was very excited when I read Google’s announcement about their beta release of a Chrome extension that will allow users to encrypt their messages end-to-end. Although Gmail supported HTTPS from the very beginning and now always uses an encrypted connection when you check or send email in your browser, the content of your messages is stored at Google and is accessible to them.
This is not a secret, Google’s terms of service say that “automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection.” Unfortunately, as we read from the documents disclosed by Edward Snowden, this information may also be made accessible to other parties.
What Gmail is missing is the end-to-end email security, where one end is myself and the other end – my recipient, and not Google. Also, very important, is that I and my correspondent keep the secret keys, not a third party. In computer security jargon is is called object security as opposed to channel security (what Google was offering from the beginning), since in email there is no direct channel between me and my correspondent. So Google’s End-to-End seems like a step in the right direction.
It appears to be only a half-step, though. The beta version of the extension only partly integrates with Gmail, and is a bit more than a web interface to OpenPGP. It will let you automatically create new conversations with the encrypted blob copied in. But copy&paste is required to decrypt the message. It also doesn’t allow you to use keyservers making key management difficult.
So it doesn’t really make use of encrypted email easier, or even on par with other existing tools, but I take it as a sign that Google is committed to make its email service end-to-end secure and fully integrate with Gmail at some point. Because that would be a strong response to pervasive monitoring – an attack against Internet privacy, from the IETF point of view.
Speaking of other tools, for those who use IMAP (or POP) instead of webmail, many of the popular email clients support PGP through extensions and plug-ins. I am using Thunderbird with Enigmail and find signing and encrypting of emails pretty straightforward.
Yet, end-to-end encrypted mail is far from being ubiquitous. Is it because it is still too difficult, is there lack of awareness or is it not seen as useful to a regular user? At the end of the day a traditional postal envelope doesn’t offer much protection either.
I think all these factors contribute and that means there is a lot to do before Google’s new feature can become useful and used. But I am glad they are moving in this direction.