[liberationtech] safegmail-is-a-simple-way-to-encrypt-messages-in-gmail
Maxim Kammerer
mk at dee.su
Tue Oct 23 08:12:40 PDT 2012
I recommend everyone to avoid using this extension in its current
form. It has nothing to do with PGP, and is an implementation of
symmetric encryption where the (randomly generated) encryption key is
sent in cleartext to SafeGmail server. Recipient then provides a
password that SafeGmail server uses to decrypt the encryption key,
which is then sent to recipient (again, in cleartext). Such
unnecessary complication of a client-only symmetric encryption scheme
makes no sense, and shows misunderstanding of the simplest
cryptographic concepts. Use of PGP is completely incidental — PGP with
autogenerated keys is used on the server instead of a much simpler
symmetric crypto to keep per-message encryption keys (private PGP key
is encrypted with user-supplied passphrase). Contrast this with the
misleading title: “Easy & Free PGP (Pretty Good Privacy) Encryption
for Gmail” on SafeGmail homepage.
https://twitter.com/mkdeesu/status/260750944495624192
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
More information about the liberationtech
mailing list