OpenPGP JavaScript Implementation Enables Encrypted Webmail

Use Netsparker


This is a pretty interesting progression in the encryption field, I’m pretty sure most of us here will use some kind of key based e-mail encryption (PGP/GPG etc) and various different software based implementations.

Or perhaps some of you already use something totally web-based like Hushmail, the story is that researchers in Germany have managed to develop a JavaScript implementation of OpenPGP that allows you to both encrypt and decrypt messages purely in the webmail interface with Google Chrome and Gmail.

Pretty neat eh?

Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages.

Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail.

According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard.

The OpenPGP specification uses public key cryptography to encrypt and digitally sign messages and other data. It is based on the original PGP (Pretty Good Privacy) program and is most commonly used for securing email communications.

Setting up a PGP variant to work with a particular email client on a local computer can prove troublesome for less technical users, not to mention that it’s not portable. A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

The benefits of a JavaScript-based implementation that runs inside the browser is that it doesn’t require a dedicated email client or other software installed on the computer.

I have to admit, setting up key based e-mail cryptography to work seamlessly…is not for the faint of heart. Even for the more technical user, it can be quite a pain in the arse.

That’s a pretty high entry barrier for the average Joe and stops pretty much everyone else from encrypting their emails. Something more seamless (and totally portable) like this JavaScript implementation could open up key-based e-mail encryption for the masses.


At the moment, GPG4Browsers only works in Google Chrome and is not available for download from the Chrome Web Store. However, if the name is any indication, the extension will be ported to other browsers in the future.

Users interested in giving it a try must download it manually and install it as an unpacked extension. This can be done from the Tools > Extension page by checking the “Developer mode” box and clicking on “Load unpacked extension.”

The current release is limited by the fact that it cannot generate private keys, although the menu for doing this is present, so the feature will most likely be implemented in the future.

Importing public and private keys works fine and when browsing on Gmail a black lock icon is displayed in the address bar. Clicking on it will open a dialog for composing an encrypted or a digitally signed message.

Similarly, when an encrypted message arrives in the Gmail inbox, the browser asks users if they want to open it with GPG4Browsers. The extension can decrypt messages signed with GnuPG (GNU Privacy Guard), a popular open source PGP implementation, but only if data compression isn’t used.

The GPG4Browsers source code is available under a GNU Lesser Public License so the tool can be easily improved to support additional webmail providers. The developers also provide documentation which explains the available APIs.

An OpenPGP JavaScript implementation offers convenience and portability, but also has some downfalls. “Since memory-wipe of private data and validation of a secure execution environment cannot be achieved in JavaScript this implementation should not be used in environments where the confidentiality and integrity of the transmitted data is important,” the developers warned.

Which means, in basic terms, don’t use this kind of implementation on any machines that might be infected with malware etc. Which in a way to me renders it useless, the only reason I’d be using a web-based OpenPGP implementation is because I’m using a public or unfamiliar machine and I STILL want to encrypt my e-mail.

If I’m using my own e-mail, I’ll be using a proper software based encryption tool anyway. So I guess it may offer slightly more protection that sending completely plain text e-mail, but it’s certainly not a totally secure e-mail encryption solution.

As JavaScript progresses and gets more powerful however, things may change and this may well become a viable alternative to software based e-mail encryption.

Source: Network World

Posted in: Countermeasures, Cryptography, Security Software


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.