michael’s thoughts

collected
«
»

FireGPG Firefox Plugin for GnuPG

I have been an avid Firefox user for the past several years. While I do use Firefox every day, I am not a heavy consumer of Firefox extensions. There are thousands of Firefox extensions available but I find that the browser suits my needs in its stock form. I don’t like getting used to having a lot of extensions installed, as when I use someone else’s computer I will be relying on functionality that is not available.

There is one extension that I do use on a regular basis. FireGPG is a Firefox extension that allows for integration with GnuPG. The extension has a number of features, including allowing the selection of web page text and then encrypting it via a right-click context menu.

The killer feature of this extension, however, is its integration with Gmail. The problem with web based email systems is that they are inherently insecure. Regardless of whether or not the HTTP connection is encrypted with SSL, all of the mail content is being stored on a remote server.

Sending encrypted emails to web email services has always been possible, but it’s painful in practice as the encrypted email must be copied out of the web browser and into a local text file and then decrypted. That is not an efficient workflow, and so very few people with web mail accounts actually use encryption.

FireGPG has support for Google’s Gmail. When you have FireGPG installed, the Gmail interface is subtly modified to include options to sign, encrypt, and decrypt emails. When an encrypted or signed email comes in, the software automatically recognizes it and decrypts or verifies the digital signature. The integration is very subtle and over time I forget I have it. Until I’m on another computer and realize I can’t verify digital signatures.

The downside to encrypting web based mail is that the encrypted version is stored on the mail service provider, which makes the web mail’s search functionality unusable. I find that I still don’t send much encrypted email, but the ability to see verified signatures is very handy and does not prevent my mail from being searchable.

Tags: , ,
This entry was posted on Friday, April 18th, 2008 at 8:30 pm and is filed under life.

  • Doug
    Not everyone uses GPG or PGP...and you cannot make them use it. That's why it's NOT easy to use. Solutions like Voltage SecureMail allows you to send encrypted messages to anyone using Identity Based Encryption (IBE), the next generation of PKI.

    See http://www.voltage.com/vsn to try it for yourself.

    You can use it with Firefox, IE, Safari...any browser...

    Messages are in control of the sender and the recipient...never stored on the service.
  • Paul
    Although I will admit to being a bit late in hearing about it, the revelation that Hushmail will roll over and provide decrypted e-mails when presented with a court order (as published in November 2007) makes them or any service that has custody of your private key suspect and vulnerable to LEO access. Since IBE *relies* on a third-party server providing the private key to allow decryption of the e-mail, it is NOT secure. IMO, it's probably *less* secure than Hushmail, which *admits* that they are subject to and will comply with court orders.

    Voltage may have the best of intentions, but I have issues with the IBE model they are selling. PGP/GPG, while a bit more difficult to set up, you are the only one that should have access to your private key *and* the passphrase required to decrypt or sign messages. And you're right, you can't make people use PGP/GPG. Like the old saying goes, "You can lead a horse to water, but you can't make it drink."
blog comments powered by Disqus

michael’s thoughts is proudly powered by WordPress
Entries (RSS) and Comments (RSS).