Halfway through doing my last blog post on PGP, this Web mail pop-up caught my interest:
Mailvelope is a browser extension which ‘brings OpenPGP encryption to webmail services such as Gmail, Yahoo and others’. Does it provide any advantage over the other method of encrypting text files? Well, kind of. Mailvelope stores PGP keys locally and converts a plaintext message into ciphertext without the user having to leave the browser – that alone is a major improvement on usability. I had a few problems with the setup, as the recovery key for GMX’s encryption didn’t export properly to PDF (basically I’ve lost it).
Mailvelope’s FAQ page states that keys are only stored locally, and explains that security depends on the endpoints being resistant to attack. It is transparent about the extension scanning all Web pages to determine whether it’s a Webmail service being displayed.
What’s less obvious is the correct procedure must be followed when composing emails in order for Mailvelope to provide confidentiality. Web mail services (especially Google) typically save messages as you type, which means the plaintext is stored on their servers, and that makes pretty much the entire conversation accessible to third parties. This means you absolutely must compose emails in Mailvelope’s pop-up editor instead of the Web mail interface. We’ll come to this.
Creating or Importing Keys
Since I already have generated keys for my Web mail accounts, I’ll import them here. The way to import a key from a file in the Import Keys page is to open whatever private key in a text editor, and copy it into the ‘Import key as text‘ box. The public key will be derived from this.
The key can be managed and the public key uploaded to Mailvelope’s server. Because the verification email needs to be decrypted using another program, and the plaintext link is malformed, I submitted my public keys to the Ubuntu key server instead.
Back to Web Mail
According to the setup dialogues, GMX doesn’t have access to the crypto key. When setting this up, do not lose the recovery key, as the encryption cannot be reset without contacting GMX’s technical support team.
Mailvelope also works with Outlook, displaying a small pad icon in the top-right of the content box. Click that icon before doing anything else.
The following window should then be displayed:
Compose the email in the following window and click the ‘Encrypt‘ button.