Monthly Archives: March 2012

gmail-crypt is now “Mymail-Crypt for Gmail™”, download now!

Download: Mymail-Crypt for Gmail™ Chrome Web Store Link

Name Change

There have been a lot of changes to gmail-crypt. Perhaps one glaring difference as the title notes is I have changed the name to “Mymail-Crypt for Gmail™” as part of my push to get the extension available in the Google Chrome Web Store. They seem to be quite concerned about how you use their trademarks, and I believe I have changed it to meet their standards.

Notable Technical Changes

  • The Options page has been revamped to use Bootstrap. There have been a number of changes to how the options appears. I hope it makes it more intuitive.
  • I’ve integrated the most up-to-date version of OpenPGP.js. In this version I have just recently finished some significant pushes to key generation. This means that you can now generate keys with passphrases.
  • I’ve added the ability to Encrypt with/without a signature, and to just sign a message.
  • Lots of bugfixes, general improvement

Security Concerns

I think this software is quite useful but there still are some special concerns in regard to using this software. You should weigh how important these concerns are to you:

  • DO NOT use this on a shared computer. This extension is not (yet) multi-user capable.
  • This release still allows drafts to be uploaded to Gmail servers. Unencrypted drafts could be stored on Gmail servers.
  • Storing private keys in browser. The extension will run under it’s own domain but it might be possible for malicious entities to access it.
  • Password input into the DOM. Currently input for passwords is done directly into the DOM. This means it would be conceivable for gmail to acquire this password. It is important to note that private keys are stored in the context of the extension and not gmail’s context.
  • Cryptographically Secure Pseudo Random Number Generator. OpenPGP.js uses window.crypto.* for random number generation, the quality of this is browser dependent. By definition this should be a good source, but is an externality to consider.

Make sure that you keep backup copies of all the keys you generate. If they’re lost, they’re lost.

TL;DR — There have been a ton of changes that make this extension much more polished. Give it a whirl. Read the Help page for some possible security concerns if that’s your style.

Download: Mymail-Crypt for Gmail™ Chrome Web Store Link
As always, the project page is available here