​Google nudges 'End-to-End' encryption alpha forward with Yahoo ideas

Google has updated its End-To-End encryption project, incorporating several post-Snowden contributions from Yahoo's chief security officer, Alex Stamos.

Google first unveiled End-to-End in June - a coding project that aims to make end-to-end message encryption less complex than existing tools like PGP and GnuPG for the average computer user.

End-to-End is a Chrome extension based on OpenPGP that should, once complete, ensure data that leaves a browser remains encrypted until it reaches the intended recipient. It would improve users' privacy when using services like Gmail, which encrypts messages from the browser until it reaches Google's servers, but once it arrives there the message can still be exposed to government access requests.

Read this

Worried about your email security? In Germany, safe messaging is on the rise

• Read More

End-to-End will help users "encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP", according to a Google blog published on Tuesday.

One of the key updates to the project announced this week is that Google has moved the code for the project from its own Google Code repository to GitHub. The code has been released to let researchers review it, while a new wiki provides more detailed description of End-to-End for security researchers and developers to delve into.

Another interesting update is that Yahoo's Stamos is officially working on End-to-End. Stamos announced at the BlackHat conference in August that he would contribute to the project, which has become a priority at Yahoo due to government incursions on end-user privacy revealed by former NSA contractor Edward Snowden.

While it's not clear what exactly Stamos has contributed, he revealed that Yahoo is using Google's extension internally and that the companies were working on supporting encrypted message exchange between Yahoo Mail and Gmail.

Google said when it unveiled the project that End-to-End was included in its program that pays researchers for disclosing bugs to the company, and according to Stephan Somogyi, a Google product manager in its security and privacy team, two bugs submitted have resulted in payments.

Somogyi didn't say what the bugs were but added that Google hasn't received many reports for End-to-End's newly developed JavaScript-based crypto library.

The product is still in alpha but once it's more stable the plan is to release it on the Chrome Web Store.

The biggest challenge that lies ahead, according to Somogyi, is developing an adequate system to handle key management and distribution.

"Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won't release End-To-End in non-alpha form until we have a solution we're content with," he noted.

Read more on security

• Google updates business, education, cloud security certifications

• Google fixes Android's Fake ID security hole

• Google for Work bolstered with new security dashboard