Google yesterday announced that it has released the source code for its End-to-End extension for Chrome to open source via GitHub.
End-to-End enables Gmail users to encrypt, sign and verify email messages within the Chrome browser, using OpenPGP.
“We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community,” wrote Stephan Somogyi, Product Manager, Security and Privacy for Google.
Google is calling the updated version of End-to-End an alpha version and hopes to get community feedback. This version, however, already includes contributions from Yahoo’s security team. In August during the Black Hat USA conference in Las Vegas, Yahoo CISO Alex Stamos announced that it would enable end-to-end encryption for Yahoo Mail users in addition to announcing a partnership with Google.
Yahoo, Google and other companies were implicated on several occasions as being tacitly cooperative with intelligence agencies gathering user data from Internet companies. Both tech giants, as well as many others, have taken great pains to distance themselves from such allegations announcing several initiatives aimed at encrypting web-based services.
Yahoo, for example, also announced this summer that it is also working on enabling HSTS on its servers, as well as certificate transparency.
HSTS (HTTP strict transport security) allows Web sites to tell users’ browsers that they only want to communicate over an encrypted connection. The certificate transparency concept involves a system of public logs that list all certificates issued by cooperating certificate authorities. It requires the CAs to voluntarily submit their certificates, but it would help protect against attacks such as spoofing Web sites or man-in-the-middle.
Google said this version of End-to-End also incorporates fixes for two bugs submitted to its Vulnerability Rewards Program, and it hopes that the alpha will generate for End-to-End’s new crypto library.
In addition, Google’s Somogyi said End-to-End isn’t stable enough for release into the Chrome Web Store.
“We don’t feel it’s as usable as it needs to be. Indeed, those looking through the source code will see references to our key server, and it should come as no surprise that we’re working on one,” Somogyi said. “Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won’t release End-To-End in non-alpha form until we have a solution we’re content with.”
End-to-End is based on OpenPGP, which requires less technical understanding to deploy and run, Somogyi said.
While End-to-End will be available to anyone, Google acknowledges it’s likely not within the average user’s wheelhouse.
“We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection,” Somogyi said. “But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.”