Google releases beta OpenPGP code

[Ciprian Dorin Craciun]

On Wed, Jun 4, 2014 at 11:58 AM, Mark Rousell <markr at signal100.com> wrote:
> On 04/06/2014 09:32, Werner Koch wrote:
>> Maybe Google now fears that users move away from Gmail and to mitigate
>> that they provide end-to-end so that they still have access to their
>> user's traffic pattern.
>
> Oh perhaps they simply take the view that very few people will use it
> (sadly). It will give people the warm and fuzzies because it's there but
> few people who use Gmail will know why it's there or how to use it or
> bother to use it.


    Although I find such a plugin welcomed --- at least for trying to
bridge PGP-based security to the browser, like the defunct Firefox
GnuPG plugin did a few years ago --- I also think that the purpose of
such a tool is limited to either public education (getting them used
to the idea of "better" privacy), experimentation (being written
solely in JavaScript), or in the worst case marketing.  (Though I'm
sure its developers have only the best in mind.)

    The reason I'm stating this is based solely on what they write on
the project's page [1] regarding to the "security" of the solution,
it's threat-model, implementation, etc.  For example looking at the
section "How safe are private keys in memory?":

~~~~
Please note that enabling Chrome’s "Automatically send usage
statistics and crash reports to Google" means that, in the event of a
crash, parts of memory containing private key material might be sent
to Google.
~~~~


    Personally I won't use any browser plugin that operates on
cryptographic material inside it's own process.  Instead I would
expect it to delegate such operations to something similar to the
GnuPG agent.


    However I would love to see again a Firefox GnuPG plugin,
    Ciprian.

    [1] https://code.google.com/p/end-to-end/