OpenPGP JavaScript implementation allows webmail encryption

German company releases OpenPGP Chrome extension to facilitate webmail encryption

Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages.

Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail.

According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard.

The OpenPGP specification uses public key cryptography to encrypt and digitally sign messages and other data. It is based on the original PGP (Pretty Good Privacy) program and is most commonly used for securing email communications.

Setting up a PGP variant to work with a particular email client on a local computer can prove troublesome for less technical users, not to mention that it's not portable. A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

The benefits of a JavaScript-based implementation that runs inside the browser is that it doesn't require a dedicated email client or other software installed on the computer.

At the moment, GPG4Browsers only works in Google Chrome and is not available for download from the Chrome Web Store. However, if the name is any indication, the extension will be ported to other browsers in the future.

Users interested in giving it a try must download it manually and install it as an unpacked extension. This can be done from the Tools > Extension page by checking the "Developer mode" box and clicking on "Load unpacked extension."

The current release is limited by the fact that it cannot generate private keys, although the menu for doing this is present, so the feature will most likely be implemented in the future.

Importing public and private keys works fine and when browsing on Gmail a black lock icon is displayed in the address bar. Clicking on it will open a dialog for composing an encrypted or a digitally signed message.

Similarly, when an encrypted message arrives in the Gmail inbox, the browser asks users if they want to open it with GPG4Browsers. The extension can decrypt messages signed with GnuPG (GNU Privacy Guard), a popular open source PGP implementation, but only if data compression isn't used.

The GPG4Browsers source code is available under a GNU Lesser Public License so the tool can be easily improved to support additional webmail providers. The developers also provide documentation which explains the available APIs.

An OpenPGP JavaScript implementation offers convenience and portability, but also has some downfalls. "Since memory-wipe of private data and validation of a secure execution environment cannot be achieved in JavaScript this implementation should not be used in environments where the confidentiality and integrity of the transmitted data is important," the developers warned.

This means that GPG4Browsers shouldn't probably be used on a computers system when there's reason to believe that it might be infected with malware or compromised or in some other form. However, in such cases the user can always boot from a live Linux CD or a similar read-only environment.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Topics: security, encryption, Recurity Labs
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?