Secure Gmail Adds Email Encryption to Google Mail

A month or two ago this would have seemed like overkill, but now, it’s food for thought …

With PRISM news losing momentum and shifting to Snowden’s whereabouts almost entirely, it is likely that the majority of the world population will have forgotten about it very soon. It is unlikely that anything will be done about it to prevent that data is grabbed by agencies around the world, so that users are left with protecting their data individually.

Secure Gmail is one of those solutions. The application is currently only available as an extension for Google Chrome which somewhat limits its reach, but it is a start and it has a lot going for it. First, it is Open Source which means that you can dive right into the source code to check it out before you start using the extension.

Second, it does the encrypting and decrypting on the local system, so that emails cannot be read by Google or anyone else listening unless the correct password is known or guessed.

Third, it is super easy to set up and use.

The first thing that you need to do is install the Secure Gmail extension for Google Chrome. Once you have done so you will find a new lock icon next to Gmail’s compose button at the top. You click on it to create a secure message, or click on compose to create unencrypted emails instead.

The compose window highlights that the email is secured and you can use it as usual to write the message, add recipients and subjects and all that good stuff.

gmail secured encrypted email messages

Compose a new encrypted email message

A click on send encrypted displays a password prompt that you need to complete. The password you select encrypts the message and needs to be known by the recipient so that it can be decrypted. You can optionally add a password hint to the encryption which may help the recipient figure out the password.

Most of the time though you may need to provide the recipient with the password as hints may help third parties with their decrypting attempts as well.

The email arrives encrypted in the recipient’s inbox. Two different clear text messages are displayed on the screen depending on whether you have the Secure Gmail extension installed or not.

encrypted email

encrypted email shown in browser with Secure Gmail installed

If you do have the extension installed, you get the message that it is encrypted, and that you need to decrypt the message with a password. The password hint is also displayed if it has been added by the sender.

A click on decrypt message with password opens a password prompt on the screen. Enter the password here and if it is correct, the original message is displayed on the screen.

If the Secure Gmail extension is not installed or if another browser is used or a third party email program, then you receive the message that the email is encrypted and that you need to download and install the extension first to decrypt it.

Observations

  1. The extension implements easy to use encryption on Gmail. Encrypting and decrypting is handled locally, and the only requirement to get started is that both sender and recipient have the extension installed.
  2. The recipient cannot reply via encryption. There is no option for that yet, so that it is necessary to click on the lock icon next to compose to reply with an encrypted message of your own. This means that it does not support conversations right now.
  3. The main limitation is that Secure Gmail is only available for Chrome right now. Extensions for other browsers and maybe even Outlook and Thunderbird would be helpful.
  4. The project uses an open source JS crypto library from Stanford.
  5. The extension prevents the saving of drafts for obvious reasons. Since drafts would be saved in unencrypted form to Gmail, they would leak information about the email to the server before it is encrypted.
  6. Attachments are not encrypted.

Closing Words

If you are looking for an easy to implement way to encrypt some of your emails, then Secure Gmail is definitely an extension to consider for that purpose. It is somewhat limited in terms of platforms it supports, and not the right tool if you want or require full encryption.

If you change passwords often, you may also run into decrypting issues eventually as it may be difficult to associate passwords with emails. There are a couple of ways, for instance by using the hint feature or by associating passwords with days, but even then, it may become too complex to be efficient.

Link to Original Content

Tags: , , ,

Comments are closed.