How to exchange Gmail messages securely thanks to encryption. Two browser extensions that make Gmail mail safer, easier to install and use.
With Gmail, email is encrypted whenever this is physically possible. Google has often explained that not all providers that provide a TLS mailbox then talk in encrypted form with the provider’s MTA (Mail Transfer Agent) servers to which an email is directed. In other words, if in the case of TLS email accounts the data packets are encrypted between the user’s device and the provider providing the email service, it is not assumed that the messages travel in encrypted form between the sender provider and the recipient provider. Of the problem Google spoke in these pages.
As explained in the article Protect web accounts and improve their security, in paragraph 10) Using mail accounts that support the use of encryption (TLS protocol), Google shows a red lock when an email – in all probability – will not be encrypted along the entire path before reaching the recipient’s inbox (here the meaning of the lock icons shown in the Gmail web interface).
Users of Gmail should also be aware that the content of their emails can be read automatically by Google, as indicated in the Terms of Service. In fact, Google writes: “our automated systems analyze user content (including emails) in order to offer personal product-relevant features, such as personalized search results, tailored advertising and detection of spam and malware. Occurs when the contents are transmitted, received and stored”.
By using some software solutions to encrypt emails, you can make Gmail mail more secure by preventing third parties, including Google, from reading the message content.
Gmail, email encrypted with Mailvelope and FlowCrypt
We offer two browser extensions – Mailvelope and FlowCrypt – that make Gmail mail more secure by encrypting messages. Both rely on the use of the PGP (Pretty Good Privacy) standard and are responsible for generating a pair of keys (one public and one private) on the user’s local system.
Since these are solutions based on the use of asymmetric cryptography, first generate your own key pair and then, as soon as you receive encrypted messages, you only have to confirm the storage of the other public keys to decode both the content of the emails and that of any attachments.
The advantage of Mailvelope is that it allows you to encrypt emails with the most popular mail services accessible via the web (not just Gmail but also Outlook.com and Yahoo).
Referring to the Options section, List of email providers, Mailvelope can even be adapted to any webmail service, even those not directly supported.
In the article Encrypt email from the web with Mailvelope almost five years ago we presented the operation of Mailvelope.
The operation of the FlowCrypt browser extension is very similar to that of Mailvelope.
Mailvelope is available as an extension for Chrome and Firefox while FlowCrypt, downloadable here, in addition to supporting the two browsers mentioned, also offers an Android app currently in beta (intended for those who will accept to participate in the first person beta testing program).
Once you have consented to the installation of the FlowCrypt extension, just click on the Continue with Gmail button and then authorize access to your Gmail account.
The authorization may be revoked at any time by clicking on this page (click on FlowCrypt Browser Extension and then on Remove access).
With a click on “New Encryption Key” it will be possible to generate the cryptographic keys pair that will be used to encrypt Gmail mail.
In the following screen, the choice of a sufficiently long and complex password is fundamental: it will be used to protect the private key as well as to decrypt the incoming encrypted messages.
Whenever you want to send an encrypted email, just click on the FlowCrypt icon on the right side of the browser’s address bar.
When composing the message, FlowCrypt will search for the recipient’s public key as soon as it is set up using the Add recipient entry.
Gmail will not be able to read the contents of the encrypted emails but will still be able to read the metadata of the same (date and time of sending the message and the recipient’s email address); in the case of FlowCrypt you can also access the text of the email subject.
It must be said that using browser extensions such as Mailvelope and FlowCryptIt is certainly the easiest and fastest way to encrypt Gmail mail. The security of the extensions and therefore the exchange flows of encrypted emails is however closely linked to any bugs present in the browser (hence the importance of promptly applying all the updates) and to the presence of potentially harmful extensions, especially those that require permission to access all open tabs and web pages.
If you do not like the idea of using a browser extension, just use a completely independent PGP client or a PGP add-on for your email client.