8 March 2017

End-to-End Email Encryption: Google Pushes Latest Project to Open Source

By Douglas Bonderud

Email encryption is becoming a top enterprise priority. Politico noted that after an increased cybersecurity focus during the election, end-to-end (E2E) encryption is “booming” as government officials race to ensure they aren’t caught unprotected.

The problem is that while tools such as Pretty Good Privacy (PGP) offer solid security, they can be cumbersome to set up and difficult to use. Google recently backed a Chrome app, E2EMail, to streamline the encryption experience but, according to Threatpost, has now pushed the project to open source communities. What’s next for E2E efforts?

The Email Issue

Email remains a go-to threat vector for malicious actors. Despite the growing use of mobile devices and real-time collaborative tools, email is a corporate mainstay for both its usability and the ability to create paper trails in the event of an audit or legal challenge.

Common email scams run the gamut, from classic phishing hooks asking users to download files or visit compromised webpages to authentic-looking messages from actors impersonating C-suite executives that demand immediate employee action. But cybercriminals are never content with existing options.

As noted by CSO Online, the recent Yahoo breach prompted malicious actors to create a custom-built phishing campaign that claimed accounts had been locked for “failing automated security server update” and prompted users to “update” their accounts. It’s a clever ruse — leverage the fear of an existing breach to compromise corporate email accounts.

The Managed Message Mandate

PGP remains the de facto standard for encrypting emails from sender to receiver, though it’s worth noting that even PGP doesn’t obfuscate the subject line or the identities of the correspondents. As noted by ZDNet, an increased public focus on cybersecurity has prompted the development of alternatives such as ProtonMail, Wire and WhatsApp.

Google’s email encryption alternative was designed to provide a simple and streamlined experience by integrating OpenPGP into Gmail using a Chrome extension. While Google experts contributed to the project for more than a year, it was cut loose in late February as entirely open source.

So what’s the big deal? According to Google, the app “behaves as a sandbox where you can only read or write encrypted email” — in other words, any mail sent from the app is automatically signed and encrypted, Threatpost reported. It supports PGP and MIME text messages and, even when sent through Gmail, makes it impossible for any provider to crack message contents.

By linking the app with the Chrome browser, Google hoped to eliminate the complexity of most PGP deployments and make email security the default mode for corporate communications, rather than an outlier.
The Future of Email Encryption

Under open source development, meanwhile, the sky’s the limit. The search giant said E2EMail will be able to take advantage of in-development key transparency initiatives, which will hopefully replace the aging web-of-trust model. Still, expanded functionality and specific features rely on the interest and talent of open source developers.

In the best case scenario, E2EMail will be a jumping off point for better, faster and more streamlined email encryption. Worse case, it’s just another encryption tool in the growing market. Either way, it’s an improvement over the current model of managed email messaging.

No comments: