Mailvelope

Mailvelope is a free software for end-to-end encryption of email traffic inside of a web browser (Firefox or Chromium) that integrates itself into existing webmail applications ("email websites"). It can be used to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client (like Thunderbird) using the OpenPGP standard.

Mailvelope
Developer(s)Mailvelope GmbH
Initial release2012 (2012)
Stable release
4.0.1 [1] / 8 August 2019 (2019-08-08)
Repositorymailvelope on GitHub
Written inJavaScript
Platformweb browser
Typebrowser extension
LicenseAGPL (free software)
Websitewww.mailvelope.com

The name is a portmanteau of the words "mail" and "envelope". It is published together with its source code under the terms of version 3 of the GNU Affero General Public License (AGPL). The company Mailvelope GmbH runs the development using a public code repository on GitHub. Development is sponsored by the Open Technology Fund.[2]

Similar alternatives are Mymail-Crypt[3] and WebPG.[4]

Features

Mailvelope equips webmail applications with OpenPGP functionality. It comes with preconfigurations for several popular providers like Outlook on the web and Gmail.[5] For Chromium/Chrome there's the possibility to install from an authenticated source using the integrated software extension manager "Chrome Web Store".[6]

A study from 2015 examined the usability of Mailvelope as an example of a modern OpenPGP client and deemed it unsuitable for the masses. They recommended integrating assistant functionality, sending instructive invitation messages to new communication partners, and publishing basic explanatory texts.[7] The Mailvelope-based OpenPGP system of United Internet integrates such functionality and its usability earned some positive mentions in the press, particularly the offered key synchronization feature.[8][9] A usability analysis from 2016 found it to still be "worthy of improvement" ("verbesserungswürdig"), though, and mentioned "confusing wording" ("irritierende Formulierungen"), missing communication of the concept, bad password recommendations, missing negative dissociation of the more prominent modus that features only transport encryption, plus insufficient support for key authenticity checking (to thwart man-in-the-middle attacks).[4]

Usage

In April 2015, De-Mail providers equipped their services with an option for end-to-end encryption based on Mailvelope that is deactivated by default[10] and can only be used in combination with Mobile TAN or the German electronic identity card.[11] In contrast to the hitherto advertised but ineffective encryption scheme De-Mail some of the same email providers now promise their customers end-to-end encrypted communication among authenticated participants without the need for expert knowledge.[12] In August 2015, the E-Mail services of Web.de and GMX introduced support for OpenPGP encryption and integrated a customized version of Mailvelope into their webmail applications for that. According to self-published figures, this affected about 30 million users.[13]

Functionality

It implements the OpenPGP standard, a public-key cryptosystem first standardized in 1998. It's a web browser extension written in JavaScript for Firefox or Chromium (Chrome). On certain web pages it overlays its control elements which are optically distinguished as being separate from the web application by a surrounding background of tiled lock symbols. This background can be customized to enable recognizing imitations.[4] In the back end it builds on the functionality of the program library OpenPGP.js, a free JavaScript Implementation of the OpenPGP standard. By running inside a separate inline frame, its code is executed separately from the web application and should prevent it from accessing clear text message contents.[3]

The version developed in collaboration with 1&1 silently creates a pair of keys when using a setup wizard and manages all OpenPGP keys locally in the browser.[9]

History

The developer names the defunct software project FireGPG that was started in 2007 as an important predecessor.[14] Thomas Oberndörfer started developing Mailvelope in spring 2012 and the first publication was version 0.4.0.1 on August 24.

Mario Heiderich and Krzysztof Kotowicz of Cure53 did a security audit on an alpha version from 2012/2013.[6] Among other things, the separation from the web application and its data structures was enhanced based on its findings. In February 2014, the same group analysed the library OpenPGP.js which Mailvelope is based on. Version 0.8.0 from the following April included the corrections that stem from it and brought about support for signing messages. In May 2014, iSEC Partners published an analysis of the Firefox extension.[4] Version 1.0.0 was published on August 18, 2015.

The webmail software Roundcube senses and supports Mailvelope as of version 1.2 from May 2016.[15]

gollark: Heavpoot is to be declared SCP-3125-A with immediate effect.
gollark: My tape download program now supports downloading big files without splitting them, via range requests, assuming they're served from a server which supports it: https://pastebin.com/LW9RFpmY (do `web2tape https://url.whatever range`)
gollark: Here is a similar thing for JSON. Note that it delegates out to an external JSON library for string escaping.```luafunction safe_json_serialize(x, prev) local t = type(x) if t == "number" then if x ~= x or x <= -math.huge or x >= math.huge then return tostring(x) end return string.format("%.14g", x) elseif t == "string" then return json.encode(x) elseif t == "table" then prev = prev or {} local as_array = true local max = 0 for k in pairs(x) do if type(k) ~= "number" then as_array = false break end if k > max then max = k end end if as_array then for i = 1, max do if x[i] == nil then as_array = false break end end end if as_array then local res = {} for i, v in ipairs(x) do table.insert(res, safe_json_serialize(v)) end return "["..table.concat(res, ",").."]" else local res = {} for k, v in pairs(x) do table.insert(res, json.encode(tostring(k)) .. ":" .. safe_json_serialize(v)) end return "{"..table.concat(res, ",").."}" end elseif t == "boolean" then return tostring(x) elseif x == nil then return "null" else return json.encode(tostring(x)) endend```
gollark: My tape shuffler thing from a while ago got changed round a bit. Apparently there's some demand for it, so I've improved the metadata format and written some documentation for it, and made the encoder work better by using file metadata instead of filenames and running tasks in parallel so it's much faster. The slightly updated code and docs are here: https://pastebin.com/SPyr8jrh. There are also people working on alternative playback/encoding software for the format for some reason.
gollark: Are you less utilitarian with your names than <@125217743170568192> but don't really want to name your cool shiny robot with the sort of names used by *foolish organic lifeforms*? Care somewhat about storage space and have HTTP enabled to download name lists? Try OC Robot Name Thing! It uses the OpenComputers robot name list for your... CC computer? https://pastebin.com/PgqwZkn5

References

  1. https://github.com/mailvelope/mailvelope/releases/tag/v4.0.1
  2. Lorenzo Franceschi-Bicchierai (2015-09-29). "Why the US Government Is Investing Millions in Internet Freedom Technologies". Motherboard. Vice Media LLC. Retrieved 2016-09-26.
  3. Akash Badshah; Anurag Kashyap; Kenny Lam; Vikas Velagapudi, SendSecure (courses.csail.mit.edu) (in German)
  4. Verena Schochlow; Stephan Neumann; Kristoffer Braun; Melanie Volkamer (2016), "Bewertung der GMX/Mailvelope-Ende-zu-Ende-Verschlüsselung", Datenschutz und Datensicherheit (in German), Wiesbaden: Springer Fachmedien, 40 (5), pp. 295–299, doi:10.1007/s11623-016-0599-5
  5. "Mailvelope". Right to Hide (in German). Hungarian Civil Liberties Union (HCLU). Archived from the original on 2016-09-26. Retrieved 2016-09-26.
  6. Mario Heiderich; Krzysztof Kotowicz, Pentest-Report Mailvelope 12.2012–02.2013 (cure53.de) (in German)
  7. Scott Ruoti; Jeff Andersen; Daniel Zappala; Kent Seamons (2015), Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client (in German), arXiv:1510.08555
  8. Patrick Beuth, "GMX und Web.de: Der schnellste Weg zur verschlüsselten E-Mail" (zeit.de), Die Zeit (in German), Hamburg
  9. "GMX und Web.de integrieren PGP in ihre Mail-Dienste". C't (in German). Retrieved 2015-12-28.
  10. "De-Mail. Ende-zu-Ende-Verschlüsselung mit PGP gestartet". Heise Security (in German). Retrieved 2016-09-25.
  11. "De-Mail integriert Ende-zu-Ende-Verschlüsselung mit PGP". Heise Online (in German). Retrieved 2016-09-25.
  12. "PGP-Verschlüsselung von De-Mails im Browser". C't (in German). Retrieved 2015-12-28.
  13. "Web.de und GMX führen PGP-Verschlüsselung für Mail ein". Heise Online (in German). Retrieved 2016-09-25.
  14. Thomas Oberndörfer. "FAQ – Mailvelope". Mailvelope.com (in German). Retrieved 2016-09-25.
  15. "PGP-Unterstützung: Neuer Roundcube-Webmailer veröffentlicht". Golem.de (in German). Retrieved 2016-09-25.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.