A BSI initiative brings in web forms, better integration with desktop software, and a security audit for PGP Encryption for Web Browsers.
Don’t know what is PGP Encryption? Check this article about it.
Mailvelope is open-source software that allows users to read and write PGP-encrypted e-mail directly in their browser.
Browser plug-ins can be used to convert webmail programs for end-to-end encrypted mail traffic.
Among other things, web site operators can now use Mailvelope to encrypt their web forms and software.
Users can easily use desktop mail applications to receive those messages. It also simplifies key management and improves the security of the software.
The better user interface, more compatibility, security audit
The improvements carried out on behalf of BSI by Mailvelope GmbH, which developed the software of the same name, and the Osnabrück-based IT service provider Intevation.
The German security company SEC Consult carried out a comprehensive security audit.
The aim of this is to find security vulnerabilities in the encryption algorithms used in the Mailvelope.
Three vulnerabilities discovered and stuffed in Mailvelope four, as well as in the third-party library Open PGP.js used by the software.
Clickjacking of web interface using a plug-in is a possible attack on the PGP Encryption.
Besides, the user interface of the software improved in a few places.
Hence, a potential attacker cannot carry out any critical operations without user interaction.
For example, attackers inducing a person to click on manipulated links.
Details on the security vulnerabilities discovered during the audit are on an English-language page of the BSI.
According to BSI, one of the improvements to Mailvelope was to enable website operators to offer contact forms that encrypt messages from the user’s browser to the recipient end-to-end.
For this purpose, the operator of the website must adapt his/her web form accordingly.
Hence, Mailvelope recognizes that the website can receive PGP encrypted messages.
The key management is then HTTPS-encrypted via the WKD protocol (WKD stands for Web Key Directory).
Now the website operator can read the encrypted mail either via webmail and Mailvelope or in a PGP-enabled desktop client.
As a field of application for this technology, the BSI primarily thinks of doctors or banks.
In a Practical World
Using the BSI to improve Mailvelope is commendable.
The browser plug-in was also a good alternative for non-technical users to send and receive PGP-secured mail.
The BSI developments make the software even better.
Although Mailvelope is critically commented on by security purists due to placing the encryption in a very insecure domain on the users’ machine (the web browser).
The key management is not very transparent; the software addresses a fundamental problem of PGP Encryption to the horrendous-complicated use of the protocol.
Key management of traditional PGP Encryption implementations alone is an insurmountable obstacle for many everyday users.
After all, office helpers or bank clerks rarely want to bother with technical details. They just a way to securely send mail that works without much hassle. So far, PGP Encryption, no preference with which software, but rather unsuitable.
From this perspective, it makes sense that the BSI advocates more user-friendly software in this area.
In a perfect world, banks and medical practices all over the USA are now listening and discussing ways to secure their web forms and mail software on local devices.
Reality of usage of PGP Encryption
Large companies such as banks often consider deploying such technology months or even years later. Hence, they implement such changes only after considerable paperwork in the background.
After all, it may help that with the BSI a government agency is behind the software and you can already rely on a security audit.
However, large-scale use of PGP Encryption seems somewhat unrealistic in medical practices, as it often lacks the necessary knowledge.
Already the importance of sound encrypted communication to understand.
In conversations with several physicians in private practice, Heise online was rarely able to explain the difference between transport encryption and end-to-end encryption for web forms.
None of the banks contacted by us responded promptly to a request for the BSI’s proposal to encrypt corresponding web forms.
Like so many PGP Encryption initiatives, there seems to be a lack of practical users here too.
Part of that is probably due to PGP’s reputation among the general public for being an incredibly complicated and time-consuming technique.
However, it also becomes clear that an awareness of the importance of end-to-end encryption in communications (primarily private data) is essential.
But, due to knowledge of the general public is not yet as advanced as many experts in the security community, PGP Encryption is far away from public use.
Let me know your thoughts by commenting below right now.