Google Looks to maybe add PGP to GMAIL

  • I personally can't wait for something like this to take hold and really work.

    No I don't do anything worth reading by the NSA or most anyone else, but the mass surveillance is wrong and to open for abuses. I would love to see all, or nearly all internet traffic encrypted.

    I just had a thought - I wonder if it's legal for the NSA (or any branch of the government) to open your postal mail without notifying you first? Like internet traffic, it's flowing through a network outside of your control, but in general we have the expectation that no one without a lawful warrant can open or look at your mail. Why should the internet be any different?

  • Not legal to open postal mail, but not prosecutable either. It's only academic that it is illegal.

  • GPG would be great if they got a few other major players to build it in. Like Office 365.

  • If Gmail gets it - I'd be very surprised if O365 didn't add it shortly there after.

    The thing they have to do is get it working through scripts in the browser or as a plug in for Firefox and Chrome (heck they could just build it into chrome). In this it would be very close to what LastPass does for their encryption - If you don't have the browser plug-in LastPass runs scripts to build the encryption components needed.

    The hardest part will be the private key - where to store it that the NSA/Google, etc don't have access to it, yet is easy for the consumer. The average consumer probably won't be willing to sneakernet a key from device to device to read/send email.

  • No, doesn't need to happen in the browser, can happen on the server. But doing it in the browser should be trivial. JavaScript is crazy powerful these days. It's been over a year since they had Unreal 3 running purely in the browser. A GPG signing would be absolutely trivial. With ASM you can probably do it today yourself.

  • How do you secure your private key? If it's done on the server side then it's possible for the vendor to gain access.

    A history I'm sure you already know:

    Skype used to offer end to end encryption. Even though it used flow/routing points around the internet (though I never understood why - but didn't dig to deep to find out) the traffic was basically unreadable except by the endpoints.
    In walks the NSA putting pressure on Skype to allow them to tap the service exactly like they do the telephone companies lines.
    At some point Skype relents and changes their protocols to route all traffic through central servers which are the termination point for all conversations where they can now be recorded, etc.

    So - once a company can get access to the unencrypted data, you'd be a fool to think they won't, even if they only do when give an NSA letter.

    LastPass' system is setup in such a way that they have nothing to offer the NSA because all of the encryption is down client side. A hash of the password, the salt and the encrypted blob are all that LastPass has on their servers. There's no way to get the password required to decrypt the blob from the hash.
    Therefore as an end user I don't care if LastPass gets a letter because my data is useless to them.

  • What is ASM?

  • ASM is Firefox's C to JavaScript compiler.

Log in to reply