Open Source Devs to Give E2EMail Encryption

Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology.

“Google has been criticized over the amount of time and seeming lack of progress it has made in E2EMail encryption, so open sourcing the code could help the project proceed more quickly,” said Charles King, principal analyst at Pund-IT.

That will not stop critics, as reactions to the decision have shown, he told LinuxInsider.

However, it should enable the company to focus its attention and resources on issues it believes are more pressing, King added.

Google started the E2EMail project more than a year ago, as a way to give users a Chrome app that would allow the simple exchange of private emails.

The project integrates OpenPGP into Gmail via a Chrome extension. It brings improved usability and keeps all cleartext of the message body exclusively on the client.

E2EMail is built on a proven, open source Javascript crypto library developed at Google, noted KB Sriram, Eduardo Vela Nava and Stephan Somogyi, members of Google’s Security and Privacy Engineering team, in an online post.

The early versions of E2EMail are text-only and support only PGP/MIME messages. It now uses its own keyserver.

The encryption application eventually will rely on Google’s recent Key Transparency initiative for cryptographic key lookups. Google earlier this year released the project to open source with the aim of simplifying public key lookups at Internet scale.

The Key Transparency effort addresses a usability challenge hampering mainstream adoption of OpenPGP.

During installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine.

E2EMail uses a bare-bones central keyserver for testing. Google’s Key Transparency announcement is crucial to its further evolution.

 

Google Partially Benefits

Secure messaging systems could benefit from open sourcing the system. Developers could use a directory when building apps to find public keys associated with an account along with a public audit log of any key changes.

Encryption key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, suggested Sriram, Nava and Somogyi in their joint post.

Key Transparency delivers a solid, scalable and practical solution. It replaces the problematic web-of-trust model traditionally used with PGP, they pointed out.