Sunday, August 4, 2013

Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services

 

By on August 4, 2013 - Tags:
If you prefer to use a webmail interface such as those provided by Gmail, Hotmail or Yahoo! Mail, you probably know that you cannot really secure your data directly when you are using those services. The majority of popular webmail services do not support email encryption for instance which would protect the content of messages from being read by automated tools and anyone else with access.
Mailvelope is a free browser extension for Google Chrome and Mozilla Firefox that introduces OpenPGP encryption to webmail services that you may be using. The extension ships with support for Gmail, Yahoo! Mail, Outlook and GMX by default, and options to integrate other web-based email providers as well.
Setup is a little bit complicated, especially if you have never worked with PGP before. After you have installed the extension in your browser of choice, it is necessary to either create a new encryption key or import an existing one.

OpenPGP for webmail services

If you need to generate a new key, you are asked to enter your name and email address, and a passphrase that is used to encrypt and decrypt messages. If you want, you can also change the algorithm and key size (default 1024 up to 4096), and set an expiration date.
generate pgp key
You need to import public keys as well here from your contacts so that you can encrypt messages for them.
Let me explain how the encryption process works. PGP uses a private and public key pair system. When you generate a new set of keys, you generate a private key and a public key. Others use your public key to encrypt messages for you that only you can encrypt with your private key.
I recommend you check out the settings before you head out to your webmail service of choice to start encrypting your emails.
Some interesting options that you have are the following:
  1. Select whether you want to use the mail service's compose window or a separate editor.
  2. Select whether you want to decrypt messages on the page of the mail provider or a separate window.
  3. Set a primary key you want to be selected automatically.
Here you can also add other mail providers to the list of supported services.
A new icon is displayed in the compose window once you have added at least one key for a supported email address. When you click on it, a new window pops up that lets you compose the message. I highly recommend you keep the default option of composing emails in a separate window as contents may leak otherwise, for example when they are auto-saved.
Once you have clicked on the encryption icon, you can start typing in your message. You do need to click on the Fe> icon once you are done to start the encryption process.
What you need to do is select the recipients of the email. You can only add recipients whose public keys you have imported previously into the application.
encrypt email messages
Once done hit the transfer button to send the message to all selected recipients. You may also want to add yourself to the list as you will then be able to read the messages in your send folder (and inbox).
Encrypted messages appear like normal messages in your inbox. They have a plain text title but the body content is encrypted. When you open an encrypted email, you see random characters and a lock icon in the middle.
encrypted message
PGP encrypted email
A click on the icon opens a password prompt. You need to enter the correct passphrase that you have selected during key creation. The email is displayed in plain text when you do so that you can read it.

Verdict

Mailvelope adds a much needed feature to webmail services. You do face a couple of challenges though using it. First, you need to get your contacts to start using PGP as well as you can only use it effectively if that is the case.
Second, you rely on the Chrome or Firefox extension, which means that you may not be able to access your email at any time. This is for instance the case if you check your mail in a public library or on a third party computer.
The current implementation does not support the signing of messages as well.
Good news is however that it is fully compatible with existing mail encryption solutions that use OpenPGP.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.

No comments:

Post a Comment