
Ask HN: browser extension to encrypt emails in gmail client-side - rheide
Hey everyone, I was wondering if anyone knows of a browser extension that hooks into the gmail interface and can encrypt the contents of an email before sending it.<p>It&#x27;s always a problem to make security available for the masses (and actually secure!). Here&#x27;s how I&#x27;d do it if I had to set one up.<p>The Chrome extension would prevent gmail from reading the email fields, preventing the saving of drafts server-side. On sending the email it would encrypt the content with a key that is unique per receiving address. If the client has the extension installed it can decrypt the contents automatically on display.<p>The problem is getting the decryption key across to the recipient securely, but that only has to be done once. After that the browser extension can hold it indefinitely. It could be done with a trusted third party site, which only holds the key for a very short time, and only for the first email sent to a new recipient. Power users could of course use their own ways of getting keys across.
======
runn1ng
I know one that is easy to use, secure and working (because I _very_ slighty
helped with the development).

[http://www.mailvelope.com/](http://www.mailvelope.com/)

It is more secure than you would think - see

[http://www.mailvelope.com/blog/security-audit-
and-v0.6-relea...](http://www.mailvelope.com/blog/security-audit-
and-v0.6-release)

it prevents from saving the drafts well. What is not yet iplemented are
signatures

------
daenney
WebPG or Cr-gpg perhaps can handle the GPG part probably.

I'm not so sure about the not saving Drafts, that would require rewriting some
bits of Javascript which might break other stuff.

As for key exchange, that shouldn't be handle by an extension. If you want to
encrypt your e-mail so the other party can read it, encrypt it with their
public key, which by definition is public and can be uploaded to a keyserver.

~~~
rheide
Since the public key is public, any eavesdroppers will also be able to read
the email. There is no point in the extension if you use the recipient's
public key. It must be a mutually agreed secret.

~~~
mknits
Email encrypted with the recipient's public key can only be decrypted by
recipient's private key.

It is the most secure way to send an encrypted email.

------
switch33
Somewhat relevant: [https://github.com/progrium/irc-for-
gmail](https://github.com/progrium/irc-for-gmail)

------
bifrost
You'd be better off using a non-gmail service with this sort of privacy
requirement anticipated. Gmail is a pretty uninspiring service to use fully
encrypted.

~~~
rheide
I agree, but I have to disagree. I'd gladly use a more secure email service,
but the problem is: 99% of everyone I know uses gmail or Google Apps. It
doesn't matter if I encrypt my email if everyone I communicate with is
vulnerable. The trick is getting the layman to accept something simple like a
browser extension. If even 20% of the people I communicate with would consider
using the extension I would be very happy.

~~~
bifrost
The trick is to reduce the threat surface, not to do whats right all the time,
removing gmail from your side makes your threat surface lower. Browser
extensions don't provide security, and its unlikely that chrome would be
immune to google-wide spying programs.

~~~
rheide
That's a good point actually. Chrome would be just as vulnerable as gmail..

