Google is considering end-to-end encryption for Gmail

Shawn Knight

Posts: 15,240   +192
Staff member

google gmail email encryption pgp pretty good privacy end to end encryption

Google is said to be looking into ways to make end-to-end encryption tools such as PGP (Pretty Good Privacy) easier to use with Gmail. The utility is already compatible with Gmail but its complex nature has kept it from reaching a mainstream audience.

How exactly Google plans to integrate PGP into Gmail is a bit of a mystery as it poses some pretty significant issues. With end-to-end encryption, only the sender and receiver can read the contents of a message. That’d be problematic for Google as the company currently scans Gmail messages for advertising keywords.

What’s more, Google would have to contend with the issue of lost passwords. Under such a scenario, only the end user would ever have access to the decryption key meaning the provider couldn’t recover data without it.

The company would either have to make it crystal clear exactly how important keeping up with the password is or perhaps use a cryptographic technique called key stretching that makes a short password stronger so individuals wouldn’t have to remember a lengthy password.

If it comes to fruition, it’d be the latest in a string of security upgrades at Google. Last month, the search giant took steps to boost the security of data that travels between data centers and moved Gmail to an HTTPS-only connection by default. All of these changes have come as a result of the mass surveillance revelations exposed by NSA leaker Edward Snowden.

Permalink to story.

 
Mailvelope makes using PGP dead simple with GMail. Surely Google can't be suggesting that their users are so stupid as to not be able to follow such simple instructions as clicking on a padlock to encrypt/decrypt a message?!
 
"The company would either have to make it crystal clear exactly how important keeping up with the password is or perhaps use a cryptographic technique called key stretching that makes a short password stronger so individuals wouldn’t have to remember a lengthy password."
If they would implement it this way, it would be completely pointless, because the encryption would be as easy to break as breaking the password itself. Which is usually not so hard, considering how dumb passwords people use or how easy it is to trick them into giving said passwords away with social engineering and phishing.

Also PGP does not work with long password, but with asymmetric encryption and public/private key pairs. Now unless those keys were owned by the user only, they would be also pointless, because Google could still be forced (by law) to give them away, without even letting the user know about this.

The other problem is: if emails were travelling encrypted through Google's systems and not even Google would have the keys for them, they couldn't analyze the emails either and could not attach relevant ads to them. At any point they would still do, they'd defeat the purpose of the end to end encryption. And without the ability to attach ads, this would obviously a no-go for them. (Unless they limit this functionality for paying subscriber accounts only.)

So this is most likely just a PR stunt - like most announcements and leaks from Google since the Snowden revelations - which will actually not provide an effective countermeasure against spying, and will not result in actual increase of security for the end-user, regardless of Google using the magic word "encryption" all over.
 
I thought PGP was on the way out and GPG was what everyone was upgrading to. Why are they using the old method?
PGP and GPG are not names of encryption methods, but software products/packages. Functionally they can be considered practically the same, with the only real difference the former being proprietary and the latter being an open source solution.
 
So this is most likely just a PR stunt - like most announcements and leaks from Google since the Snowden revelations - which will actually not provide an effective countermeasure against spying, and will not result in actual increase of security for the end-user, regardless of Google using the magic word "encryption" all over.

Yeah, sounds like it... how will Google be able to filter out my spam if they can't access the email contents?
 
Mailvelope makes using PGP dead simple with GMail. Surely Google can't be suggesting that their users are so stupid as to not be able to follow such simple instructions as clicking on a padlock to encrypt/decrypt a message?!

Agreed, Mailvelope is pretty user-friendly to begin with. Sadly I imagine the majority of gmail users aren't aware of Mailvelope, so maybe they want to create something in-house or this is just a PR stunt as @FF222 raises.

Yeah, sounds like it... how will Google be able to filter out my spam if they can't access the email contents?

Advertisers/spammers wouldn't use encryption as it would require everyones public key. If Google does anything, they will likely mimic in some fashion Mailvelope.
 
The only words in the laypersons frustrum will be SAFE, ENCRYPTION, SECURE, GOOGLE.
An easy lie to tell is that you're going to do something; It works.. against most people.. all of the time.

Just a save-face tactic and to cull non-google solutions to a problem coconspired by google.
 
Startmail.com, currently in beta, is going to offer exactly that: on-server PGP.

Of course, it's not as secure as doing it locally but it's a start and good and easy enough for most folks.

They also have an interesting feature of sending a semi-secure message to non-PGP users with mutually agreed upon password authentication. (send message from Startmail to non-pgp user, user gets SSL link, opens it, enters password, sees message. The reply, still over the same SSL link, will be encrypted with Startmail user's PGP key and sent to his inbox).
 
Back