Google unveils source code for Chrome encryption extension
Google has made publicly available the source code for a new Chrome extension that helps users encrypt, decrypt, digitally sign, and verify signed messages within the browser using OpenPGP.
The extension, dubbed End-To-End, has not yet been released in the Chrome Web Store. “We’re just sharing the code so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it,” Stephan Somogyi, Product Manager, Security and Privacy at Google noted.
The alpha release of the extension is built upon a newly developed, custom JavaScript-based crypto library, and implements the OpenPGP standard for key generation, encryption, decryption, digital signing, and signature verification.
With the extension, the body of the message (but not the email subject line and list of recipients) is encrypted and decrypted locally in the browser. For those worried that their private key might not be safe, the company advises users to choose a passphrase for their keyring, so that private keys are stored encrypted in localStorage. While in memory, the key is protected by the Chrome sandbox.
The company has asked users not to use the code to build an extension and submit it to the Chrome Web Store before they do. “The End-To-End team takes its responsibility to provide solid crypto very seriously, and we don’t want at-risk groups that may not be technically sophisticated — journalists, human-rights workers, et al — to rely on End-To-End until we feel it’s ready,” they said. “Prematurely making End-To-End available could have very serious real world ramifications.”
Somogyi has pointed out that the company chose to create such an extension because other end-to-end encryption solutions such as PGP and GnuPG require a great deal of technical know-how and manual effort to use.
The release of the code has piqued the curiosity of many cryptographers and security researchers, and Google is offering an added incentive for them to poke around: any security bug they find can be submitted to the company’s Vulnerability Reward Program and is eligible for a monetary prize.
The code and technical details about the extension are available here.
Google has noted that “implementing crypto in JavaScript is considered heretical by some,” and has acknowledged the risks of vulnerabilities and side-channel attacks, but believes that they did a good job at mitigating them.
“The threat model we are trying to address discounts adversaries with physical access and users with malware outside the browser,” they shared. “Chrome’s design means that extensions should be safe against other extensions. Adversaries with this level of access have a plethora of attacks available to compromise data even in systems that control their memory carefully and wipe it.
In related news, the company has simultaneously added a new section to its Transparency Report. The section aims to show users how much of the communications Gmail deals with is encrypted in transit, and which services support encryption in transit.