Google adding End-to-End encryption

Yesterday Google announced that they will be adding more encryption to Gmail. The company plans to release an extension to Chrome called End-to-End for users who feel they need an additional layer of protection to guard their communications from prying eyes.

In a post in their Online Security Blog Stephan Somogyi, Product Manager, Security and Privacy announced that they will be releasing an alpha version of the End-to-End code that uses OpenPGP encryption.

“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

The alpha code isn’t quite ready for prime time but Google is releasing it now “so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it.”

Google is also offering a financial reward for anyone who discovers security holes in the code.

The End-to-End encryption is intended to augment Google’s existing security and is not necessarily intended for everybody or for everyday use. As Somogyi says, “We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.”

As I’ve mentioned in other articles I think it’s a good thing that more and more companies are beginning to provide stronger and more varied encryption however encrypting emails is only a small hole in a boat that is rapidly taking on water. As we connect more and more people, companies, apps, devices and so on to each other we have added more and more weaknesses to our overall security. A hacker need only find one chink in the armor and use that to get deeper and deeper into our systems.

One stolen (or guessed) password allowed hackers to get into a catering company’s system last fall and that company happened to be a supplier for Target stores. Since the catering company had limited access to the Target corporate computers for submitting invoices and other perfectly legitimate purposes the hackers were able to use that access to get into the Target system. Once inside they were able to plant their malicious code and steal tens of thousands of customer’s credit card information. I don’t think encrypting Target’s emails could have don’t anything to prevent that.

But Google’s End-to-End is still a good start.