OpenPGP implementation for webmail encryption

The idea of being able to encrypt and decrypt their email correspondence might appeal to a lot of users, but not all of them are technically savvy enough to implement solutions such as PGP (Pretty Good Privacy) on their computers.

But, researchers from security firm Recurity Labs might have come up with a rather helpful (if still not a completely foolproof) solution to that problem.

Enter GPG4Browsers, a JavaScript implementation of the OpenPGP Message Format which allows users to use encryption when sending emails from Web-based mail applications.

Created by a group of researchers from security company Recurity Labs, this prototype is currently only available as an extension for the Chrome browser, but if we consider its name, extensions for other popular browsers might not be far behind.

According to the researchers, the prototype for now allows only the encryption and description of messages, the signing and verifying of message signatures, and the importing and exporting of certificates. It supports all asymmetric, symmetric ciphers (except IDEA) and hash functions specified in the OpenPGP standard.

Currently unavailable is the generation, manipulation or creation of signatures on keys, the use of several signature types on keys, the encryption of messages with only a symmetric cypher and the compression of data packets.

The prototype is ideally used in environments where code execution or programs on the operating system level cannot be executed, say the researchers, but warn in the developer documentation that it should not be used if complete confidentiality and integrity of the transmitted data is needed since “memory-wipe of private data and validation of a secure execution environment cannot be achieved in JavaScript”.

In short, it seems that for now the browser extension can come in hand only to users who want to use it on their own computers, and only if they are sure they haven’t been compromised in any way. Adding it to a browser on public or unfamiliar computers should be out of the question, and this fact limits severely its use.

The code of the implementation has been released under the GNU Lesser Public License, and it is available here.

Share this