GPG for Gmail, Yahoo! Mail, Hotmail and more

August 25th, 2006

A colleague of mine just sent me this link to freenigma:

freenigma uses one of the most famous and most widely used cryptographic software packages in the world: the GNU Privacy Guard (GnuPG)

It runs as a Firefox extension with an IE version in the pipeline. It’s still early days yet - there’s no encryption of attachments and digital signatures are disabled at present - but this looks promising.

If you’re interested, I’d recommend reading their FAQ. They’ve thought things out pretty well and are probably onto a winner here.

I’ve not been able to work out what type of licence the product is being released under. They’re planning to offer this for free for individual use, which suggests a closed source :-(

Entry Filed under: Security

4 Comments Add your own

  • 1. Andrew Hammond  |  February 8th, 2007 at 4:11 am

    Unfortunately this looks like it sends my message to their server to be encrypted / signed. That means that they need to have my private key to sign stuff, and that they know the symmetric key for messages I’m sending. In other words, I have to trust them a whole lot more than I’m willing to trust anyone.

    Bummer.

  • 2. Ben Balbo  |  February 8th, 2007 at 7:47 am

    From http://www.freenigma.com/frequentlyaskedquestions/

    Does freenigma send my mails to the freenigma server for encryption?

    No. All mail is encrypted or decrypted directly in the webmail client (i.e. directly in the browser). But how does that work?! For the experts: when making an encryption request, the freenigma extension sends nothing more than the list of recipient addresses to the freenigma server. In response, it receives a random session key for symmetric encryption within the client as well as an asymmetric encrypted session key for all the recipients. AES encryption is then performed within the client using the unencrypted session key. Then, the user script in the client combines the symmetric encrypted mail text and the asymmetric encrypted session key to create the OpenPGP binary format.

  • 3. Do you Trust us?  |  May 31st, 2008 at 2:35 am

    Bwhahahaha! This is utterly and completely useless, perhaps even bordering on dangerous for the uninformed. Today’s PC’s are more than sufficient to provide the computing power and entropy necessary to encrypt using asymmetric encryption. Get a true email client.Get a GPG plugin for that client, and kiss web-mail goodbye forever.

    If you want security, you can’t use webmail.

  • 4. Ben Balbo  |  June 2nd, 2008 at 11:23 am

    Hi DyTu - thanks for dropping by! I’m not sure why you believe this is utterly useless. I’ve never tried it, as I don’t use web-based email providers, but I believe it’s useful for those that do.

    Take travelers, for example. Most that I’ve met don’t carry a laptop with them. They stop off at Internet cafes and use web-based email. They probably don’t want to spend a few minutes creating a new mail account on the email client running on the computer they’re using, only to have to make sure they clean up all the personal data before walking away.

    I dispute your opinion that you cannot use webmail if you want security. So long as you connect over SSL, you’re more secure than the desktop email client users that connect over insecure IMAP or POP which, to be honest, is the majority of them.

    As for dangerous, please explain. It’s early and I’m still waking up, but I can’t see the danger…

    Cheers!

Leave a Comment

hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

 

Most Recent Posts

Buy a Domain Name Today!

Links