Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services
If you prefer to use a webmail interface such as those provided by Gmail, Hotmail or Yahoo! Mail, you probably know that you cannot really secure your data directly when you are using those services. The majority of popular webmail services do not support email encryption for instance which would protect the content of messages from being read by automated tools and anyone else with access.
Mailvelope is a free browser extension for Google Chrome and Mozilla Firefox that introduces OpenPGP encryption to webmail services that you may be using. The extension ships with support for Gmail, Yahoo! Mail, Outlook and GMX by default, and options to integrate other web-based email providers as well.
Setup is a little bit complicated, especially if you have never worked with PGP before. After you have installed the extension in your browser of choice, it is necessary to either create a new encryption key or import an existing one.
OpenPGP for webmail services
If you need to generate a new key, you are asked to enter your name and email address, and a passphrase that is used to encrypt and decrypt messages. If you want, you can also change the algorithm and key size (default 1024 up to 4096), and set an expiration date.
You need to import public keys as well here from your contacts so that you can encrypt messages for them.
I recommend you check out the settings before you head out to your webmail service of choice to start encrypting your emails.
Some interesting options that you have are the following:
- Select whether you want to use the mail service's compose window or a separate editor.
- Select whether you want to decrypt messages on the page of the mail provider or a separate window.
- Set a primary key you want to be selected automatically.
Here you can also add other mail providers to the list of supported services.
A new icon is displayed in the compose window once you have added at least one key for a supported email address. When you click on it, a new window pops up that lets you compose the message. I highly recommend you keep the default option of composing emails in a separate window as contents may leak otherwise, for example when they are auto-saved.
Once you have clicked on the encryption icon, you can start typing in your message. You do need to click on the Fe> icon once you are done to start the encryption process.
What you need to do is select the recipients of the email. You can only add recipients whose public keys you have imported previously into the application.
Once done hit the transfer button to send the message to all selected recipients. You may also want to add yourself to the list as you will then be able to read the messages in your send folder (and inbox).
Encrypted messages appear like normal messages in your inbox. They have a plain text title but the body content is encrypted. When you open an encrypted email, you see random characters and a lock icon in the middle.
A click on the icon opens a password prompt. You need to enter the correct passphrase that you have selected during key creation. The email is displayed in plain text when you do so that you can read it.
Verdict
Mailvelope adds a much needed feature to webmail services. You do face a couple of challenges though using it. First, you need to get your contacts to start using PGP as well as you can only use it effectively if that is the case.
Second, you rely on the Chrome or Firefox extension, which means that you may not be able to access your email at any time. This is for instance the case if you check your mail in a public library or on a third party computer.
The current implementation does not support the signing of messages as well.
Good news is however that it is fully compatible with existing mail encryption solutions that use OpenPGP.
Advertisement
did you mean encryption ?
Right, corrected.
If I use webmail often I would consider using this solution. But I access my GMail and Hotmail accounts via POP3 so I just use S/MIME on my email client. Easier to use, you only need an email certificate (Comodo, Startcom, and TrustCenter have free ones), and it’s fully supported by Thunderbird, Outlook, and Outlook Express/Live Mail.
“Others use your public key to encrypt messages for you that only you can encrypt with your private key.”
->
“Others use your public key to encrypt messages for you that only you can decrypt with your private key.”
Right, thanks for that. I have corrected that.
Hi. Thank you for the article. I was warned not to install add-ons, which have not been reviewed by FireFox team. What do you recommend and why? Thanks.
Depends on whether you trust the source or not. I don’t have any issues installing HTTPS Everywhere from the EFF site but a new add-on from a site tapping right into Gmail or PayPal, I’d probably stay away from.
I am complete novice to this but I am v keen to use something to encrypt my emails. Is there any PGP-type program that doesn’t request for the receivers to use a similar system in order to read the emails or is it basically the basis of the whole thing that for it to be safe both ends need to use the same system? Could you install something like this and only send encrypted emails to certain contacts who would share a similar system but still use the normal non-encrypted email services to send and receive emails from others who don’t? Or is there any other way other than this sort of encryption programs to safeguard my privacy when sending emails? I am currently using hotmail which, a while ago I tried to connect to thunderbird without much success. Is a computer based email much safer than webmail and should I therefore try harder to switch to thunderbird ? Sorry if these are very stupid questions, I really don’t know anything about any of this. Thank you very much for your help.
>Is there any PGP-type program that doesn’t request for the receivers to use a similar system in order to read the emails or is it basically the basis of the whole thing that for it to be safe both ends need to use the same system?
It’s basically the basis of the whole thing – they have to use the same coding system to decode what you encode.
>Could you install something like this and only send encrypted emails to certain contacts who would share a similar system but still use the normal non-encrypted email services to send and receive emails from others who don’t?
Not by default… The easiest method of accomplishing this would be to define 2 groups of contacts for the message and send a plain text message to one group and the encrypted message to the other group.
>Or is there any other way other than this sort of encryption programs to safeguard my privacy when sending emails?
There are web-based mail systems that encrypt messages automatically… Hushmail is one example; it is end-to-end encryption – the message is encrypted on your computer rather than being sent to their server and being encrypted there, and the recipient ‘downloads’ the encrypted text which is decrypted on their computer.
>I am currently using hotmail which, a while ago I tried to connect to thunderbird without much success. Is a computer based email much safer than webmail and should I therefore try harder to switch to thunderbird?
‘computer based email’ as in using Thunderbird instead of Hotmail? No, not unless you encrypt locally (on your computer) and upload the encrypted text to your web service (Hotmail, Gmail, etc.). ‘computer based email’ as in using your own email server (such as MS Exchange) instead of Hotmail? No, not unless you encrypt locally (on your computer) before pressing send.
(WebMail can be defined two ways: using a web browser to access email, or email that is stored on a third-party’s email server. I prefer the second definition.)
Using a local email client (Outlook, Thunderbird, etc.) to access email stored on someone else’s email server (Hotmail, Gmail, etc.) is a little bit safer than using a local email client (Outlook, Thunderbird, etc.) to access email stored on your own email server; the message is still sent over the public internet to the recipient, but your email server has a lower profile than the big boys – hackers have to know it exists before they can access it.
Using a browser to access email stored on someone else’s email server (Hotmail, Gmail, etc.) is a little bit less safe than using a local email client to access it – the browser is usually a little bit more vulnerable than an email client.
There are encryption programs that plug into web browsers, email clients, and email servers. Encryption programs that plug into web browsers and email clients encrypt locally. Some email servers encrypt messages as they receive them (meaning the message is sent over the network un-encrypted) while others (such as Hushmail, which is not free) download an encryption program to your browser after you log into the mail account so the browser can encrypt and decrypt the message locally (meaning the message is sent over the network encrypted).
[I’m not endorsing Hushmail, per se, it’s simply the only such email service I have worked with – so I know how it works first hand.]
RodsMine,
Thank you ever so much for your detailed explanations and for taking time to reply to my message. Much appreciated ! :)