[Cryptography] Google "End to End"
Peter Trei
petertrei at gmail.com
Fri Jun 6 13:00:51 EDT 2014
Tom Mitchell writes:
> > Google is putting a toe into the crypto world
> > for email.....
>
> > https://code.google.com/p/end-to-end/
>
> > Source:
> > git clone https://code.google.com/p/end-to-end/
>
This is actually kind of interesting. The FAQ is quite clueful, and is
aimed at developers.
What they've done is implemented OpenPGP with EC in Javascript, as a
plugin for the Chrome browser. At the moment only source code is available,
and they request that developers not include it in fielded apps until its
more baked. It generates only EC keys (haven't dug into the sources to find
the details yet), but you can import RSA based keys generated by GnuPG. It
maintains its own keyring, with both public and private keys. It encrypts
message bodies, but not attachments, subject: or to: lines.
They're very aware of the criticism they'll get for doing crypto in JS.
They feel they're protecting data in transit, and the sandboxing protects
them against other Chrome extensions. They explicitly don't claim
protection against non-browser malware.
Security bugs you find are eligible for the Vulnerability Awards program.
To me, one of the interesting aspects is that this breaks part of Google's
business model; they wont be able to scan message bodies for keywords on
which to target advertising.
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140606/c25e0717/attachment.html>
More information about the cryptography
mailing list