Encrypt and Sign Gmail messages with FireGPG

Linux.com (Same owners as Slashdot) has a story up about FireGPG and says "Gmail may be an excellent Web-based email application, but there is no easy way to use it with privacy tools like GnuPG. The FireGPG extension for Firefox is designed to solve this problem. It integrates nicely into Gmail's interface and allows you...
Encrypt and sign Gmail messages with FireGPG

And for the chat

[DrYak]

And if want PGP encryption for chat (Gmail's associated GTalk or any other protocol like MSN, etc.) there is Pidgin [slashdot.org] (formely Gaim) with plugins :

• Etiher Pidgin Encrypt [sourceforge.net] (formely Gaim Encryption)
• Or OTR [cypherpunks.ca]

Re:Nerds with something to hide

[joe_cot]

I don't actually use it for encryption; I use it for verification.

Besides encryption, GPG also allows you to sign messages, ensuring that the message is indeed from you, and hasn't been modified after you've signed it. In the Ubuntu Community, this is important for a) verifying messages from developers are real, b) verifying that uploaded packages were created by trusted developers, c) verifying signatures (such as signing the code of conduct).

While FireGPG is useful, it's not so useful for signing messages; gmail auto-wordwraps messages after you send them, and FireGPG doesn't take that into account. Therefore, unless you wordwrap it yourself, gmail's going to add line breaks, and your signature will be invalid. When I need to sign messages, I either word wrap myself so that gmail doesn't, or send it through Thunderbird using Enigmail.

Re:Nerds with something to hide

[SCHecklerX]

You are forgetting about authentication. Email is trivial to spoof. If you *always* sign your messages, then when some asshat, say, decides to send an explicitly detailed nastygram to your boss from 'you', it is easy to prove otherwise...

Or maybe from your secret lover, etc. You get the picture.

Re:Or you can use an actual mail client

[Enoxice]

Psh, Lynx. Get with the times, man, everyone is using links2 (perhaps links2 -g if they want to be on the bleeding edge).

GMail S/MIME plugin for firefox

[emj]

I've been using the S/MIME plugin for Firefox [jones.name]. and it's great. I'm not sure I like the way you have to apply for a certificate from Thawte, but it works and it's very painless.

This is not painless and easy, and IMHO S/MIME is alot nicer implemented than PGP signatures.

Works with any textarea, by the way

[croddy]

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This works with any textarea, by the way, not just GMail. Not sure why the summary doesn't mention that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org/

iD8DBQFGZDU/WCKEX KsCq6IRAvAtAJ96BAdus/rVCXS+NxlEbMsDdNxTCgCfe+da
T yi/KWbgNLQUq/qssCj2YR4=
=Y2mA
-----END PGP SIGNATURE-----

Re:I wouldn't think google would like this

[morgan_greywolf]

Gmail supports retrieval of mail via POP3 for free. So there's nothing to stop someone from using GPG and similar support already included in or available for a wide variety of e-mail clients such as Outlook, Thunderbird, Evolution, Eudora, etc.

Re:Won't AJAX textboxes kill this?

[X0563511]

No, you can't reverse engineer it like that. PGP uses "trapdoor" functions that are mathematically infeasible to work in reverse. It's possible, but it will take several thousand years.

What's All the Hubub?

[tayker]

I've been using Freenigma (http://www.freenigma.com) way before I even heard of FireGPG, and they've had a Firefox extension since then too.

Re:Nerds with something to hide

[Agelmar]

Not to be too nit-picky, but usually when talking about encryption, the parties are Alice and Bob (the two legitimate users), and Eve (the person who is either 'evil' or 'eavesdropping'). I don't think I've ever heard 'Cathy' used as one of the parties...

Re:Nerds with something to hide

[marimbaman]

The third participant in the conversation is usually Carol.

Re:PGP/GPG - inherent legal problem?

[m50d]

Firstly, I wondered if anyone could confirm this? I have heard that it is the case for Britain at least, although I don't see how it can possibly be legally compatible with the presumption of innocence.

It's not the case; there was a bill proposed which would have done that, but civil rights activists got it altered so they can only compel you to give up your encryption keys if they can proove you have them.

Secondly, I wanted to suggest that perhaps this is a reason not to use PGP, because PGP encrypted information can always be decrypted using the recipient's key - even many years after the message was originally sent. So law enforcement officers will be able to get old PGP-encrypted documents from your email account (probably even if you delete them, thanks to backup tapes).

That's what gpg --show-session-key is for. If you get subpoena'd, you can give them just the session keys for the specific emails they want, and they'll be able to read them but not any other messages you received for the same public/private keypair.

Re:And for the chat

[Threni]

> You're thinking of steganography - hiding encrypted data.

No, because the fact that something is hidden doesn't mean you can deny its existance once discovered. If you had a stream of random numbers and you use them to hide a message using a one time pad, it's utterly deniable because you cannot prove there's a message there - you can recover any `message` you like from it, given the appropriate `random` data to xor it with.

Re:And for the chat

[Anonymous Coward]

Actually, OTR provides nonrepudiation while the conversation is ongoing. It uses a little crypto trick to verify the identity of the other person when the session is started and the session keys are negotiated, but then it doesn't sign the messages with a specific person's private key. They are still hashed and encrypted in a way that would make MitM attacks infeasible, but either party could have written them. It's a bit like IPSec in that the asymmetric, person-specific keys are used to negotiate symmetric keys for the actual data exchange.

The way PGP and such provide nonrepudiation is by performing a whole new asymmetric key exchange for each and every message. It's entirely unidirectional and self-contained. Sort of like TCP versus UDP. IPSec and OTR require a handshake before you can talk. PGP doesn't.