[Cryptography] any reviews of flowcrypt PGP for gmail?

Phillip Hallam-Baker phill at hallambaker.com
Mon Aug 24 12:38:03 EDT 2020

On Thu, Aug 20, 2020 at 8:58 PM Sid Spry <sid at aeam.us> wrote:

> On Thu, Aug 20, 2020, at 5:47 PM, John Denker via cryptography wrote:
> > Has anybody vetted flowcrypt?  It purports to provide PGP for gmail.
> >
> >
> >
> https://chrome.google.com/webstore/detail/flowcrypt-encrypt-gmail-w/bnjglocicdkmhmoohhfkfkbbkejdhdgc
> >
> > It claims to provide "end to end" crypto, but as we've seen lately,
> > that doesn't always mean what we might want it to mean.
> >
> Well, I see a few problems, most of them unrelated to the actual
> implementation:
> 1. Updates pushed from Chrome app store. Updates that compromise the
> encryption
> could be pushed to targeted users.
> 2. The plugin runs in the browser and could likely side channel message
> info via
> analytics/tracking APIs, etc.
> > It also claims to be easy to set up and use.
> >
> As I'm sure you know this good for getting people to actually use it. I
> think Telegram
> or Signal fare better, but are not suitable for all conversations perhaps.

Telegram and Signal have the same issue with the possibility of downloading
a poisoned update. Signal in particular demands weekly updates.

The only way to be confident of the code is if there is a genuinely open
standard and open service model. Neither Signal nor Telegram qualified.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200824/c523f69f/attachment.htm>

More information about the cryptography mailing list