inner-banner

Google Invites Open Source Devs to Give E2EMail Encryption a Go

However, it should enable the company to focus its attention and resources on issues it believes are more pressing, King added.

Google started the E2EMail project more than a year ago, as a way to give users a Chrome app that would allow the simple exchange of private emails.

The project integrates OpenPGP into Gmail via a Chrome extension. It brings improved usability and keeps all cleartext of the message body exclusively on the client.

E2EMail is built on a proven, open source Javascript crypto library developed at Google, noted KB Sriram, Eduardo Vela Nava and Stephan Somogyi, members of Google's Security and Privacy Engineering team, in an online post.

The encryption application eventually will rely on Google's recent Key Transparency initiative for cryptographic key lookups. Google earlier this year released the project to open source with the aim of simplifying public key lookups at Internet scale.

The Key Transparency effort addresses a usability challenge hampering mainstream adoption of OpenPGP.

During installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine.

E2EMail uses a bare-bones central keyserver for testing. Google's Key Transparency announcement is crucial to its further evolution.

Google Partially Benefits

Secure messaging systems could benefit from open sourcing the system. Developers could use a directory when building apps to find public keys associated with an account along with a public audit log of any key changes.

Encryption key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, suggested Sriram, Nava and Somogyi in their joint post.

Key Transparency delivers a solid, scalable and practical solution. It replaces the problematic web-of-trust model traditionally used with PGP, they pointed out.

"Google announced end-to-end email encryption almost three years ago, and no product or solution ever materialized," said Morey Haber, vice president of technology at BeyondTrust. Since Google decided to open source the project, the technology will not remain proprietary for Chrome and Gmail, Haber added. Instead, Google no longer is working on this project, and the community will own the work and any potential derivatives.

Last Ditch Effort

Google's decision to drop E2EMail and release it to open source might be the company's way of saving face, suggested Rob Enderle, principal analyst at the Enderle Group. Google has admitted that the issues surrounding end-to-end email encryption are far more complex that it originally assumed, so the code it has released is far from fully baked.

Solutions Still Needed

About half of the email that traverses the Internet does so unencrypted, although that may not be the case for messaging and social media apps, suggested BeyondTrust's Haber.Although Google's project never materialized into a product, the ideas and methodologies are good examples to learn from.

  • Publish Date

    07 Mar,2017
  • Add to Calendar

    Google 07/03/2017 00:00:00 07/03/2017 00:00:00 Google Invites Open Source Devs to Give E2EMail Encryption a Go Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology. DD/MM/YYYY
    Outlook 07/03/2017 00:00:00 07/03/2017 00:00:00 Google Invites Open Source Devs to Give E2EMail Encryption a Go Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology. DD/MM/YYYY
  • Scan the QR bellow to save this page on your tablet device:

Getin Touch

Facebook Twitter Google + Linkedin Pinterest Youtube