Sean Leather spotted a new Gmail feature that checks if the PGP signature attached to a message is valid.
"A major benefit of public key cryptography is that it provides a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information's origin, and also verify that the information is intact," explains PGP's documentation.
Gmail's code reveals that Google uses a Java applet to perform verification. Here are some excerpts from the code:
function zOb(a){var b=a[dd](/(-----BEGIN PGP SIGNED MESSAGE-----(.|\r?\n)*?-----END PGP SIGNATURE-----)/); ... var DOb="PGPApplet",EOb="exp/799/pgpapplet_0.jar";OZ[k].wbc=function $aRa(){var a=document[Qi](M);d(a,WNb({code:"com/google/caribou/pgp/PGPApplet.class",name:DOb,archive:EOb})); ... kOb="Click to verify PGP signature in this message.",lOb="Verify signature",RZ="vPzQab",mOb="Info",nOb="No valid PGP signature found.",oOb="Warning!",pOb="Invalid key entered.",qOb="Applet not loaded. Is Java enabled?",rOb="wrClmc",sOb="Success!",tOb="Your message was verified successfully!",uOb="Verify again",vOb="The signature was incorrect! This message may not be authentic!"
The new feature quickly vanished from Sean's account, so it's safe to assume that it's not ready to be publicly released yet. PGP signature verification is the perfect candidate to be the next Gmail Labs experiment.
Update: Expect to see this feature in Gmail Labs. Look for this image:
Signature verification is good. Email encryption would be awesome.
ReplyDeleteSweet! I've been waiting for that. But I must agree, that encryption support would be even better. FireGPG does a pretty good job so far though.
ReplyDeleteNice...Gmail has been rolling out really useful features last few weeks. Really impressed. Undoubtedly its the best email client.
ReplyDeleteI haven't used signatures or message encryption yet though I a public key encryption for a college course. If GMail supported it I'd definitely start using it though.
ReplyDeleteInteresting. I wonder which keyservers do they use, or do they use their own?
ReplyDeleteGMAIL is the best email i have ever used
ReplyDeleteGreat, I love gmail!
ReplyDeleteyeah great.
ReplyDeletei'waiting to kill my Freenigma firefox plugin finally :-)
pgp signatures are the first step... and now i'm waiting to get a full encryption including attachements! :-D
after all, i love google labs. some funny geek stuff noone needs (yay, snake!), but there are really good features! :-)
that would be an amazing new feature.
ReplyDeleteGOOD ITS MY FAVOURITE
ReplyDeleteAn interesting item to keep an eye on will be how Google handles any future implementation of e-mail encryption via Gmail. Specifically, whether they encrypt the contents of auto-saved drafts, which would be the obvious weak link in a Gmail-based mail encryption scheme.
ReplyDeleteI used gmail. But only use my gmail account for bisnis only not for work or daily activity..
ReplyDeleteover all i believe with gmail.
That would be great — and having the largest provider offer it is the best booting in you can dream of. It probably precedes a full encryption system, although that might be more information-intensive. Maybe GMail offered the "disconnected" Gears tool to dispatch this additional processing to the end-machine.
ReplyDeleteI'm not sure why I don't see it: are there any country were this might be illegal? Encryption probably is.
@Bertil:
ReplyDeleteYou don't see it because it hasn't been released it yet.
FireGPG has always given me problems with GMail in the past. (Haven't used it in a while though.) This would be great, especially if they also add an ability to sign mail in GMail - maybe even encrypt/decrypt, though most users would probably assume Google was just trying to steal their keys. cf. http://xkcd.com/538/
ReplyDeleteThis would be awesome!
ReplyDeleteWhile it is possible to use OpenPGP and Gmail with a e-mail client program, it would be excellent if the add built in signature validation in their website.
ReplyDeleteOr maybe they can make a plain text webmail option, in order to be able to paste an already encrypted inline message...
It is excellent to verify pgp signature of incoming Email, as this needs only the public key of the sender. However, it is not appropriate for a web mail program to sign an Email directly, as this requires the private key which is not good to be stored on Goolge server rather your own private data store.
ReplyDeleteHaving said that, I think offline mode or Browse plug-in might fill the gap.
I really like this , It would help me a lot in what I do
ReplyDeleteI can't wait for this to be out of labs and live. Perhaps the increased visibility and automatic verification would help get people interested in PGP and email encryption!!
ReplyDeleteWhile it's stuck in labs, though, it will just be a toy for nerds... most of whom probably already have FireGPG installed.
It is just me or gmail searches return only starred messages?
ReplyDeleteit works fine now, sorry
ReplyDeleteThis is very exciting. I look forward to seeing this in labs.
ReplyDeleteI m waiting for this a long time. I hope to test it soon.
ReplyDeletePGP signature verification is in labs? where?
ReplyDeleteRight now I use the GnuPG with the FirePG (Firefox GPG Plugin) which allows Gmail to send/receive PGP email, along with verification, etc. But if GMail comes with it built in, I'm definitely on board with that!
ReplyDeletePGP and encryption would be an excellent feature.
ReplyDeleteAny update on this in gmail yet ? Have not seen anything.
ReplyDeleteI'd stick to full disk encryption for the laptop to start with as its more important.
hey gmail is getting advanced and good i love that new features in it
ReplyDeleteDefinitively, one of the greatest feature to add would be PGP...
ReplyDeleteSomething like this would be great...
Hi Gmail folks,
This is a test for the most expected feature on Gmail, PGP!
<> <> <> <>
An applet is a great approach. It offloads the work to the client where it can be most secure (even from Google's mail server).
ReplyDeleteI wonder where and how the private key is stored. There should be a second prompt from the applet to request the password to un-encrypt the private key. In this way, the server keeps only the encrypted version for convenience.
with all of the possibilities of getting email stolen, I would love to see PGP encryption available. It would only add to the security features they already have in place.
ReplyDeleteIt sounds good for signatures, but actual encryption should not be done on the google side of things. The point of pgp is that even the email provider doesn't have access to the message contents. I wouldn't use it unless my private key never leaves my hands.
ReplyDeletehushmail uses an applet to do full OpenPGP compatible encryption / signatures. Is there any word on whether google mail will continue having at least signature verification?
ReplyDeleteAny news on on gmail PGP signature verification support?
ReplyDeleteObviously Gmail has absolutely no interest in encrypting the contents of emails, as their whole ad rationale is based on... contents.
ReplyDeleteIts a shame that its unlikely to be implemented. How are google going to suggest relevant advertising from encrypted emails?
ReplyDeleteFor the rare times that I want to encrypt a message, I'm happy to copy&paste from a terminal. But it would be awesome+1 if GMail would *sign* my messages, even if I have to generate a GMail-specific key that I don't expect to be as safe as the one on my notworked PC at home.
ReplyDelete@Bernd +1
ReplyDeleteI can live without encryption via the web interface, but it sure would be nice to *at* *least* have signing available.
Hi all,
ReplyDeleteAny update with this?
Regards
This would be nice...
ReplyDeleteStill no updates on this feature, I'm sure Google wont add the signature for us!
ReplyDeleteThis would be great because it verifies authenticity of the sender. If your gmail was hacked and an bunch of email was sent out to a person. The person receiving it would not know if it was really you unless they verify your signature.
ReplyDeleteI don't understand why Google cant have this as a common application
I have activated pop in G mail and using Thunderbird with the Enigmail extension for open-pgp.
ReplyDeleteThe FBI has a back door to gmail that allow them to view and search all emails. This back door was exploited a while back by China when they were able to use gmail to find dissidents.
ReplyDeleteJust consider any email that you send via gmail as viewable by governments and hackers (basically consider it public information).
I suspect this is true of all email in general (through gateway sniffers). Client side pgp is the only way we will ever have our privacy back.
Google won't provide the pgp encryption because google want to see ones content. Google doesn't provide so much space for ones email account just for free - it needs to look into the stuff. Encrypting everything would render all the hosted data useless for google (not to mention us gov)
ReplyDeleteThey could host the private keys that way you wouldn't relay on having you private key on every computer you use and have special addons in your favorite borwsers.
ReplyDeleteIf the private key is hosted on their site we could benifit from the encryption without keeping them from giving the backdoor to fbi and hackers.
Signing alone is of trivial value.
ReplyDeleteSigned- and encrypted message [threads] are the grail for webmail
Google has done little (read as: nothing) to facilitate webmail encryption
Obviously "do no evil" is NOT synonymous with "do good"
XMPP:obviously@chatme.im
AGP in K9 on android is slow grinding in a positive direction.
ReplyDeleteFireGPG seemed like a good plan until
http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/
there's a new masokidsm [sic] on the block
http://gnupg.org/
@ july 14 2011
gmail OUGHT neither generate- nor store one's PRIVATE key
wolf in the sheeple house and whatnot
XMPP:obviously@chatme.im
Any update on this? I'd love to have this!
ReplyDeleteWell considering that google can't even figure out how to alphabetise youtube playlists ... I'm not holding out much hope.
ReplyDeleteCheck out this free & open source tool for easy to use Pretty Good Privacy in Gmail.
ReplyDeletehttps://sourceforge.net/projects/safegmail/?source=directory