Send encrypted webmail
Posted Sunday, August 27th, 2006 10:55 am by Mon Solo
Viewed 3103 times | Related entries: Security
I always keep an eye on information security tools. As you may know, sending an unencrypted email through the internet is like sending a postcard. It exposes your message to the world. Freenigma aims to solve that.
Freenigma uses many of the established rules of security: one, it uses an established cryptographic standard (PGP) and two, it is open-source. So far it supports Gmail, Yahoo mail, and Hotmail. And it only works in Firefox, which is another reason to ditch IE.
There is one concern though. As I understand the FAQ, while encryption/decryption happens in the browser, the encryption keys are stored/generated in Freenigma’s server:
All mail is encrypted or decrypted directly in the webmail client (i.e. directly in the browser). But how does that work?! For the experts: when making an encryption request, the freenigma extension sends nothing more than the list of recipient addresses to the freenigma server. In response, it receives a random session key for symmetric encryption within the client as well as an asymmetrically encrypted session key for all the recipients. AES encryption is then performed within the client using the unencrypted session key. Then, the user script in the client combines the symmetrically encrypted mail text and the asymmetrically encrypted session key to create the OpenPGP binary format.
I am wondering why Freenigma doesn’t encrypt using the standard private/public key process, wherein the private key is known and generated only by the sender.
If you are interested to avail of this service, you can register at Freenigma’s site.
Related Entries:
6 Responses to “Send encrypted webmail”
You, the user generates your public and private keys. The thing with Freenigma is that it stores the key-pair for you, which is retrieved by the plug-in, when needed.
Rom,
The impact is still the same. For encryption to be secure, the private key has to be kept private. If Freenigma has both keys, then technically they can decrypt the message.
Ideally, Freenigma should only be keeping the public keys of both the sender and the receiver.
I’m awaiting a message from Freenigma, signifying that i have joined, and will try it out.
You may want to try GnuPGP (http://www.gnupg.org/)then publish your key at MIT’s PGP Server (http://pgp.mit.edu/)
I only sign sensitive data and please don’t sign your PLUG emails! >_
Monsolo, technically they can – as long as they know your passphrase.
godie, the thing with PGP is that anybody can always create their own keys. The web of trust is important – so keys must be signed by an authority or a community of trusted individuals.
A third party having your private keys even! Now that’s security.
Seriously though, I think this is what the Hula project will be doing as well, except that you have to setup your own service.
Add your comments