Google last week released its E2EMail encryption code to open source as a way of pushing development of the technology.
“Google has been criticized over the amount of time and seeming lack of progress it has made in E2EMail encryption, so open sourcing the code could help the project proceed more quickly,” said Charles King, principal analyst at Pund-IT.
That will not stop critics, as reactions to the decision have shown, he told LinuxInsider.
However, it should enable the company to focus its attention and resources on issues it believes are more pressing, King added.
Google started the E2EMail project more than a year ago, as a way to give users a Chrome app that would allow the simple exchange of private emails.
The project integrates OpenPGP into Gmail via a Chrome extension. It brings improved usability and keeps all cleartext of the message body exclusively on the client.
E2EMail is built on a proven, open source Javascript crypto library developed at Google, noted KB Sriram, Eduardo Vela Nava and Stephan Somogyi, members of Google’s Security and Privacy Engineering team, in an online post.
E2EMail Unwrapped
The early versions of E2EMail are text-only and support only PGP/MIME messages. It now uses its own keyserver.
The encryption application eventually will rely on Google’s recent Key Transparency initiative for cryptographic key lookups. Google earlier this year released the project to open source with the aim of simplifying public key lookups at Internet scale.
The Key Transparency effort addresses a usability challenge hampering mainstream adoption of OpenPGP.
During installation, E2EMail generates an OpenPGP key and uploads the public key to the keyserver. The private key is always stored on the local machine.
E2EMail uses a bare-bones central keyserver for testing. Google’s Key Transparency announcement is crucial to its further evolution.
Google Partially Benefits
Secure messaging systems could benefit from open sourcing the system. Developers could use a directory when building apps to find public keys associated with an account along with a public audit log of any key changes.
Encryption key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced, suggested Sriram, Nava and Somogyi in their joint post.
Key Transparency delivers a solid, scalable and practical solution. It replaces the problematic web-of-trust model traditionally used with PGP, they pointed out.
“Google announced end-to-end email encryption almost three years ago, and no product or solution ever materialized,” said Morey Haber, vice president of technology at BeyondTrust.
“With this announcement, Google is making good on the promise of a Chrome extension that would seamlessly encrypt Gmail end-to-end,” he told LinuxInsider.
Since Google decided to open source the project, the technology will not remain proprietary for Chrome and Gmail, Haber added. Instead, Google no longer is working on this project, and the community will own the work and any potential derivatives.
“This could be viewed as coming clean on a 3-year-old promise, or the release of a market perceived vaporware project. In either case, the techniques being used might spur some other innovation for similar messaging-type solutions,” added Haber.
Last Ditch Effort
Google’s decision to drop E2EMail and release it to open source might be the company’s way of saving face, suggested Rob Enderle, principal analyst at the Enderle Group.
The best-case scenario is that sharing the project might inspire other developers and possibly improve security in general, he told LinuxInsider.
“I think, like a lot of Google projects, Google lost interest in this one,” Enderle continued, “and putting into open source is a way of at least allowing others to benefit from the effort. It is better than just shuttering the effort and archiving the work in a private repository.”
The impact of Google’s decision to open source the project is difficult to assess, noted King.
“Google has admitted that the issues surrounding end-to-end email encryption are far more complex that it originally assumed, so the code it has released is far from fully baked, he said.
That makes its actual value hard to determine, King added, but bringing additional eyes and energy to the effort could help it progress more quickly.
Solutions Still Needed
About half of the email that traverses the Internet does so unencrypted, although that may not be the case for messaging and social media apps, suggested BeyondTrust’s Haber.
“Basic implementations of technology like this can be used to secure everything from banking statements to password resets,” he said.
Although Google’s project never materialized into a product, the ideas and methodologies are good examples to learn from.
“It will help educate people on techniques and potentially failed projects related to end-to-end encryption,” Haber said, “but in the end, there are big problems to solve with key management and SHA1 collisions that researchers and security engineers should be focusing on.”