ISP GMX attempts the nigh impossible: PGP for the masses
Promises end-to-end crypto
Internet service provide GMX claims to have overcome the notorious usability problems of PGP with the launch of a new email service that offers end-to-end encryption.
The new email security works across all devices and platforms: including laptops, tablets, smartphones and web browsers, according to GMX, which says that the services is “compatible with all previous PGP applications”. PGP suffers from well-documented usability problems that latterly have prompted even Phil Zimmermann, the inventor of PGP, to prefer encrypted mobile messaging alternatives to PGP-encrypted emails.
GMX’s service is touted as resolving the three main problems that users have previously faced when using end-to-end encryption: PGP set-up, key exchange, and assistance if the key is lost.
The ISP has introduced an assistant which guides users through the steps of sending encrypted messages. “After installing a browser plug-in, the private and public key required for PGP is generated and assigned to the user,” the firm explains. “Emails to a particular recipient are encrypted using the public key and can then only be decrypted by that recipient using a secret private password. By transferring keys between devices, users can also load their private key onto a smartphone so that in the case this is lost, it can be restored from one of the devices.”
The service, which is designed with mainstream consumers in mind, can be accessed via either internet browser or GMX smartphone app.
Email encryption to go mainstream. Haven’t we been here before?
Bringing PGP to the masses has been tried before, most notably with the webmail-based Hushmail service, achieving some success but ultimately not really advancing the cause of encrypted email as much as was initially hoped.
Independent security experts gave GMX’s service a cautious welcome.
“Doubtless end to end encryption of email is a good thing,” said Ken Munro of PenTestPartners. “In this scenario, the content is encrypted at rest then sent. This has the benefit to the user that GMX could not read their email should they choose to.
“One alternative is of course SSL. The vast majority of email clients (particularly mobile clients) feature SSL based encryption, so Gmail / WhatsApp etc offer security,” he added, noting that in the case of Gmail users have to trust Google or Microsoft Hotmail to respect the privacy of their email, content GMX would be unable to access.
Privacy of webmail services is very much under the spotlight following the recent Yahoo!/NSA debacle.
“Any email providers may struggle with the ethical challenge around an interception request from a surveillance agency,” Munro noted.
He concluded: “Does the average user benefit from an offering such as GMX? Yes, though I suggest that most users would be content with the level of privacy that SSL offers.”
Under the bonnet
GMX is using the open source software Mailvelope for PGP encryption. The browser plug-in is integrated into GMX’s email interface and encrypts the message and any attachments before the email is sent. GMX apps for Android and iOS automatically include the PGP plug-in, allowing users are able to encrypt and decrypt messages on smartphones and tablets.
All public keys generated by the browser plug-in are stored in a directory administered by GMX. With the aid of a signature, GMX ensures that the keys in this directory match the respective accounts. Only the user knows the corresponding private keys.
In order to build trust, GMX is releasing the source code and commissioning external security experts to conduct regular audits. All security-relevant information – such as private keys and passwords – will never be viewed by GMX, the firm pledges. Users have “complete control of their data, and are responsible for the security of their devices and private keys,” it adds. ®