Articles

This content is in the process of being styled since being imported from a previous system, and may lack some formatting detail or imagery.

GPG for Gmail, Yahoo! Mail, Hotmail and more

  • Security

A colleague of mine just sent me this link to freenigma:

freenigma uses one of the most famous and most widely used cryptographic software packages in the world: the GNU Privacy Guard (GnuPG)

It runs as a Firefox extension with an IE version in the pipeline. It's still early days yet - there's no encryption of attachments and digital signatures are disabled at present - but this looks promising. If you're interested, I'd recommend reading their FAQ. They've thought things out pretty well and are probably onto a winner here.

I've not been able to work out what type of licence the product is being released under. They're planning to offer this for free for individual use, which suggests a closed source :-(

Comments

Unfortunately this looks like it sends my message to their server to be encrypted / signed. That means that they need to have my private key to sign stuff, and that they know the symmetric key for messages I'm sending. In other words, I have to trust them a whole lot more than I'm willing to trust anyone.

Bummer.

From http://www.freenigma.com/frequentlyaskedquestions/

Does freenigma send my mails to the freenigma server for encryption? No. All mail is encrypted or decrypted directly in the webmail client (i.e. directly in the browser). But how does that work?! For the experts: when making an encryption request, the freenigma extension sends nothing more than the list of recipient addresses to the freenigma server. In response, it receives a random session key for symmetric encryption within the client as well as an asymmetric encrypted session key for all the recipients. AES encryption is then performed within the client using the unencrypted session key. Then, the user script in the client combines the symmetric encrypted mail text and the asymmetric encrypted session key to create the OpenPGP binary format.

Bwhahahaha! This is utterly and completely useless, perhaps even bordering on dangerous for the uninformed. Today's PC's are more than sufficient to provide the computing power and entropy necessary to encrypt using asymmetric encryption. Get a true email client.Get a GPG plugin for that client, and kiss web-mail goodbye forever.

If you want security, you can't use webmail.

Hi DyTu - thanks for dropping by! I'm not sure why you believe this is utterly useless. I've never tried it, as I don't use web-based email providers, but I believe it's useful for those that do.

Take travelers, for example. Most that I've met don't carry a laptop with them. They stop off at Internet cafes and use web-based email. They probably don't want to spend a few minutes creating a new mail account on the email client running on the computer they're using, only to have to make sure they clean up all the personal data before walking away.

I dispute your opinion that you cannot use webmail if you want security. So long as you connect over SSL, you're more secure than the desktop email client users that connect over insecure IMAP or POP which, to be honest, is the majority of them.

As for dangerous, please explain. It's early and I'm still waking up, but I can't see the danger...

Cheers!

Comments for this post are currently disabled.

Subscribe to my Newsletter

* indicates a required field

I don't send many updates. I don't like to spam. Let's face it - I've not posted many new articles for a while (although I do plan on changing that). If you subscribe to new articles, I'll send no more than two emails a week. As for workshop and conference information, that'll be as and when I have details. It's not likely to be more than an email a week.

Topics