Google To Enable End-To-End Email Encryption, Highlight Good Email Security Practices

from the good-to-see dept

Back in December of 2012, we wrote about (and agreed with) Julian Sanchez's suggestion that Google should do end-to-end encryption of emails, even if it (only slightly) mucked with its advertising business model. The impact on overall security would be great (and this was before the Snowden revelations had even come out). As Sanchez pointed out, not only would this (finally) drive more widespread adoption for email encryption, it would create enormous goodwill among privacy advocates. About six weeks ago, we mentioned this again, when it was rumored that Google was trying to make encrypted email easier, though it was said that it wouldn't go "site-wide" on end-to-end encryption.

A new blog post on the Google blog* has now detailed at least some of Google's plans, including offering a new End-to-End Chrome extension that will make it much easier for anyone to send and receive encrypted email messages. This is a big step forward, and hopefully shows how serious Google is about actually encrypting messages, rather than leaving them open for snooping.

This announcement came along with adding a new section to Google's famed transparency report, entirely focused on email encryption in transit, which will hopefully increase the use of Transport Layer Security (TLS) from other email providers out there. In the initial report, Google notes that 65% of outbound messages on Gmail to other providers use TLS, while 50% of inbound messages use TLS (over the last 30 days). And, more importantly, it highlights who supports TLS... and who doesn't (Comcast seems to be a shameful leader on that front). With some transparency, hopefully it will lead more email providers to adopting TLS.

* For the sake of full disclosure, the author of the blog post on Google's site is an old friend of mine, whom I've known for nearly 20 years (I feel old), since long before he worked at Google. I had no idea he was working on this and actually haven't spoken to him in probably a year or two (because life happens). I didn't find out about it from him, but from people talking about it on Twitter.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 3 Jun 2014 @ 6:23pm


    Yes, BUT:

    1. The code hasn't been independently reviewed or audited. They've released it -- so now it can be, and probably will be. But it hasn't yet.

    2. It's written in Javascript. Ugh.

    3. It thus still relies on using a web browser to access email, which is a perfectly horrible idea.

    4. It still exposes metadata. (In Google's defense, this isn't solvable in this context because mail has to be addressed to someone.)

    5. Based on their FAQ, it's not clear to me how they expect correspondents to exchange keys.

    6. I'm not entirely sanguine about the way they've chosen to manage the key ring. It might be fine. It might not be. Need to think about it.

    7. Their answer to the question of whether or not attachments are also encrypted is ambiguous. I suspect this is just the result of poor wording choice and not an attempt to be evasive.

    8. They're trying to comply with relevant IETF standards. That's a good thing. But they do note, and probably correctly, that there will likely be interoperability issues, e.g., who is using this Chrome extension with Chrome on Windows, sends encrypted email to, who is using GNUPG and FreeBSD. Will it work? Don't know.

    The killer with this is #4, because -- by definition -- it can't be fixed. "Capturing traffic metadata from gmail" is no doubt a primary objective of many intelligence agencies and it's too much to hope for that they've ALL failed.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.