Javascript GPG: Protect your webmail

25 Nov 2011

I just tried out GPG4Browsers in Google Chrome.
It is a Javascript implementation of OpenGPG (only missing key generation).

It is really easy to install in Chrome, just follow the steps on the website.
At the moment the plugin only seems to work with Gmail and in Chrome, but hopefully this will change soon and both Firefox plugins and support for other webclients like Roundcube will be available (the hard part, writing the Javascript OpenGPG implementation, is done so now its just a matter of packaging).

The plugin at work

The Chrome plugin adds a little button in the adress field when you log in to Gmail that enables you to create a new encrypted message (and import keys from the keyserver of your choice and such).

It also detects if a message seems to be encrypted with PGP and ask you if you want to decrypt it.

So… what does this mean?
Well, it means that you can have encrypted conversations with people.

  • This will stop Gmail from analyzing your emails and sending you directed ads.
  • This will stop snooping people in your surrondings (at work, in school or whereever) from reading your email.
  • This will stop people from being able to read your email if they get hold of your email password or your email server is hacked (they would also need your private key and your passphrase to the key)
  • This will also protect the email from eavesdropping (if the person you email, or his email provider, doesn’t use propper TLS/properly encrypted wifi and so on).

NOTE: I have not reviewed the source code.

Note 1: The Chrome plugin opens a new window to encrypt and decrypt emails, hopefully this stops other javascripts to get hold of the clear text version of the email.

Note 2: I recently read on #cryptodotis that it is probable that the signing with DSA keys is broken with this plugin since the Random Number Generator in javascript is bad. This can be avoided with good implementation though, but it has not been confirmed for this project. Thus I recommend avoid signing with DSA keys with this implementation unless you first audit the code.

blog comments powered by Disqus