Google Works to Simplify End-to-End Email Encryption for Users

An early version of a new Chrome extension offers email encryption to better protect emails in transit from when they are sent to when they are read.

Gogle email encryption

Google just added an early alpha version of a new Chrome browser extension that will soon give users the ability to bolster the encryption of their emails while in transit to recipients.

The End-to-End extension for Chrome is available to Chrome developers who want to help add more protections to users' emails while requiring fewer steps than existing stand-alone encryption applications, Stephan Somogyi, a Google Chrome product manager for security and privacy, wrote in a June 3 post on the Google Online Security Blog.

"End-to-end encryption means data leaving your browser will be encrypted until the message's intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser," wrote Somogyi. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use."

That's where the new End-to-End Chrome extension can help, by making the process easier using OpenPGP, an open standard supported by many existing encryption tools, he wrote. The code for End-to-End has been released for continued development, testing and evaluation by developers in the Chrome community.

"We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection," wrote Somogyi. "But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it."

Because the project is in the early alpha development stage, it is not available yet in the Chrome Web Store as a finalized extension. "Once we feel that the extension is ready for prime time, we'll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing Web-based email provider," wrote Somogyi.

The End-To-End extension will help users encrypt, decrypt, digitally sign and verify signed messages within the browser using OpenPGP, according to Google.

Encrypted emails are like "sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards," Brandon Long, the technical lead for the Gmail delivery team, wrote on the Google Official Blog. "When you mail a letter to your friend, you hope she'll be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That's why we send important messages in sealed envelopes, rather than on postcards," wrote Long in the June 3 post.

The issue has become so important that Google will now include a new section in its Transparency Reports that show how much email is being encrypted as it travels over the Internet, he wrote. "Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren't encrypted. Many providers have turned on encryption, and others have said they're going to, which is great news. As they do, more and more emails will be shielded from snooping."

Gmail has always supported encryption in transit by using Transport Layer Security (TLS), according to Long's post, and automatically encrypts incoming and outgoing emails if possible. "The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone," he wrote.

In March 2014, Google announced that all incoming and outgoing Gmail messages will also use encrypted HTTPS connections to better protect them from interception by attackers or spying, in response to allegations in the fall of 2013 that the U.S. National Security Agency (NSA) had allegedly spied on data in Google and Yahoo data centers.

Google's launched Gmail on April 1, 2004.