Google’s efforts to deliver an end-to-end encryption tool for Chrome users are taking shape with help from Yahoo and members of the open-source community.
The company this week released an updated alpha version of its End-to-End Chrome extension to the GitHub code hosting service. The prerelease version contains several contributions from the security team at Yahoo, led by its Chief Security Officer Alex Stamos, Google Product Manager of Security and Privacy Stephan Somogyi said in a blog post.
The End-to-End project wiki too has been updated with new documentation for developers and security researchers interested in contributing or learning more about the project, Somogyi said.
But it will be sometime yet before Google is ready to make End-to-End available in the Chrome Web Store, he added.
“We don’t feel it’s as usable as it needs to be,” he said. “Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won’t release End-To-End in non-alpha form until we have a solution we’re content with.”
New documentation on the project provides some details about Google’s plans to enable the end-to-end encryption using a centralized key server model. The approach is different from and easier to use than the decentralized key distribution and verification models used by other email encryption methods, Google said.
With the centralized key server model, a user wanting to send or receive an encrypted email would first need to register with a Key Directory operated by the user’s email provider. The Key Directory would then assign a public key to the user’s email, which anyone could use to send an encrypted email to that user.
The goal is to eliminate the need for users to know anything about how to use encryption keys while also giving them the assurance that the encryption scheme can be trusted, Google said in its documentation.
“The model of a key server with a transparency backend is based on the premise that a user is willing to trust the security of a centralized service, as long as it is subject to public scrutiny, and that can be easily discovered if it’s compromised,” according to the documentation.
Google announced its plans for End-to-End in June. At that time, the company described the Chrome extension as an easy-to-use tool for those looking to encrypt email messages, digitally sign them or verify signed messages within the browser. The Chrome extension is based on the OpenPGP standard, a nonproprietary email encryption protocol that is used widely in products from multiple vendors.
Unlike encryption tools such as PGP and GnuPG, Google’s End-to-End extension will require little technical know-how or manual effort to use, the company has claimed.
Google has shared the source code for the tool with the open-source community from the outset, and releasing it into GitHub will enable even better collaboration, according to Somogyi. “We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community,” he said.