
Google's E2Email Gmail Encryption Looks a Lot Like Vaporware - remx
https://www.wired.com/2017/02/3-years-gmails-end-end-encryption-still-vapor/
======
bjornedstrom
I am not surprised. I got sick in 2014 and spent a summer implementing OpenPGP
from scratch. It is _extremely_ ugly. If I was Google I would make something
better and push that, instead of spending tearful days implementing the really
bad specification that is RFC4880.

~~~
ouid
I feel like there is a logical connection between you getting sick and working
on an OpenPGP implementation, but I cannot for the life of me figure out what
that connection is.

------
nikcub
Mailvelope is OpenPGP as a browser extension and works ok with GMail:

[https://github.com/mailvelope/mailvelope](https://github.com/mailvelope/mailvelope)

------
mtgx
Google stopped working on End-to-End at least a year ago:

[https://motherboard.vice.com/en_us/article/google-yahoo-
end-...](https://motherboard.vice.com/en_us/article/google-yahoo-end-to-end-
email-encryption-work-in-progress)

And now they've "open sourced it" with minimal changes since then. Sounds to
me like they stopped working on it, but they didn't want to keep getting asked
by the tech media and crypto people about the project's status. So they went
"Here, it's all yours now! You're welcome. Yes, we know how awesome we are."

But it doesn't look quite finished, so I wonder if anyone will bother to
complete Google's half-assed job. Google didn't even bother to integrate it
with Key Transparency before open sourcing it. That speaks volumes as well.

They've recently also released a centralized/hosted version of S/MIME for
enterprise users as well, again showing their complete disinterest in
continuing to support _end-to-end_ crypto.

[https://security.googleblog.com/2017/02/hosted-smime-by-
goog...](https://security.googleblog.com/2017/02/hosted-smime-by-google-
provides.html)

I'm guessing they stopped working on End-to-End around the time they started
working on the hosted S/MIME. I wouldn't get my hopes up about Google
supporting end-to-end crypto in the future. Now I'm starting to wonder if
they'll also kill the feature in Allo, or just hide it some more in future
releases, so that it becomes even harder to use.

~~~
lclarkmichalek
E2E email is a bit of a lost cause, so probably better that they not waste
their time.

~~~
CaptSpify
why do you say that?

~~~
whyever
It is extremely hard to use compared to Signal or Whatsapp and has worse
cryptographic properties.

~~~
drdaeman
Counterexample to "hard to use" point: Protonmail.

(Arguably, it's easier to use _for some scenarios_ , compared to Signal or
WhatsApp, because one doesn't need to have a reachable mobile phone number.)

As for the crypto - I think, OpenPGP isn't broken or "worse", just has
different properties (like lack of standardized PFS, which has both cons and
pros). But, yes, protocol limitations for metadata security (e.g. subject
lines) are an issue.

~~~
baobrain
Problem with protonmail is that it is only end to end encrypted within their
system...

~~~
drdaeman
It's not the only problem they have (there are a lot of important
functionality missing or limited), but it's not related to "extremely hard to
use" point, and it's all doable and isn't done because they have limited
resources.

------
libertymcateer
So, it is still decidedly beta (more accurately, alpha), but I wrote and just
released [http://gibber.it](http://gibber.it), to allow users to send end-to-
end encrypted messages through basically any place in a browser that you can
enter text.

I wrote this because it seems to me that the lack of end to end encryption in
services like gmail is a problem - it also seems to me that there is no reason
to have this service tied to a particular website, or for it to be
administrated by another service provider. Accordingly, all GibberIt does is
provide the encryption and key exchange - use it on gmail, nytimes comment
boards and reddit (all working well so far) - or wherever the hell else you
want. It will soon (I hope...) be working on facebook too (their content-
security-policy is very strict - rightly so - and I am making the extension
compatible with these requirements).

* It currently functions as a chrome extension.

* Sign up, invite connections just like any other social network.

* Encryption is end to end, AES 128 with nonce'd salts.

* Use a password you share with your connection (NOT your login password) to send connection invites - this is used to encrypt your keys during the invite process. (Make sure to accept the return invite! This is how your connection sends his or her keys back to you. Also note that you will likely need to reload any tab running the extension after accepting an invite in order to get the keys to load.)

* Use the chrome extension to encrypt and decrypt messages as you browse.

* I am, by profession, a corporate, software and information lawyer. More about me here: [http://www.lawyernamedliberty.com](http://www.lawyernamedliberty.com)

Demonstration gifs of GibberIt here:
[https://www.gibberit.com/#!how](https://www.gibberit.com/#!how)

Please note that the system is in BETA. Still many tweaks to work out. Use is
at your own risk.

Please feel free to ask any questions you may have. I welcome any and all
feedback. Love the system? Hate the system? Please let me know.

Edit: Please note that the gibberit homepage - AND NO OTHER PAGE - uses google
analytics. This is clearly detailed in my privacy policy. Aside from that, I
do not use any tracking software.

------
exo762
Google once again has proved that 'Google fighting surveillance' sounds like
'rock musicians fighting drugs' and 'bees fighting honey'.

~~~
tehlike
aside from lack of funding, it might actually be better for the community to
maintain this, no? I'd certainly prefer an independent set of developers build
this, as principle.

PS: goog employee

------
uladzislau
How would they display ads in email accounts if the content is encrypted? Just
pure pragmatic reason.

~~~
CaptSpify
Even if that were true, that's not reason enough for me. Why can't they just
display random ads on the side-bar? There's no reason they need to read my
emails for that.

~~~
whynotiwillte
Because anonymized ads cost advertiser wayyyy less than targeted ones. so
gmail profits would fall significantly

~~~
CaptSpify
profits falling != impossible to do

There's no reason they couldn't still send targeted ads based on other user
info.

This is a choice gmail has to make between doing the right thing, and doing
the profitable thing.

