Edward Snowden is fast becoming a household name. His NSA revelations brought shock and awe into American households, as individuals and families started to realize that their communications were not quite as private as they had originally thought. To partially calm some of those nerves, I’d like to offer a few easy ways that you can encrypt your webmail to at least try and maintain some semblance of email privacy in a world filled with snoops and spies.
Before we get started, it’s important to understand what types of encryption is available to you when you’re using webmail like Gmail, Hotmail and others. In general, people will use either public-key cryptography or secret key cryptography, depending on the application and how comfortable people feel with the process of sending emails in each case. Some people feel that public-key cryptography is very secure, while other people like to maintain the password part of the equation privately, so they use secret key cryptography.
Public key – asymmetric cryptography – is most common. It’s a secure digital transmission system involving basically two keys for each person on each end of a message transfer. The recipient and sender both have public and private keys. The public key can be handed out like candy. It simply allows someone to send you an encrypted message. The private key, on the other hand, is to be kept secure, as it’s what identifies that you are really the recipient.
Secret key – symmetric cryptography – is actually very secure, but it’s also very simple. You basically encrypt the message using a single secret cryptographic key, and the recipient can’t open the message without that key. In this article, I’m going to show you how you can do both using webmail.
Encrypting Messages in Webmail
Which method you choose to send encrypted emails really depends on what you’re trying to do and who you’re sending it to. In both examples here, you’re going to need to share a key of some form with the other person – either your public key in the case of asymmetric, or your secret key in the case of symmetric. Obviously, this means you’ll need a way to get the secret password to the other person. If you don’t have a secure way to get it to them, you’re best to go with asymmetric (public-key) as the safest option. If you have a safe way to get a secret password to them, by all means take the secret key approach.
Secret Key Webmail Encryption
I’ve used secret key encryption before to communicate with one of my correspondents overseas in China. The way we worked it out was that while talking with him on a landline while he was on his vacation in the U.S., I told him the password we would use for communications. Once he returned to China, we used a particular website (which he thankfully had access to through the China firewall) to encrypt and decrypt our emailed messages. One such website is InfoEncrypt.
A lot of people like the secret-key encryption approach because it’s so simple. You visit the site, type your message along with a password, and then click the “Encrypt” button.
This will provide you with an encrypted message that can only be decrypted if someone has the secret key that you’ve just created. You then take the encrypted message and paste it into your webmail message to the recipient.
The recipient will copy this message, paste it into the website’s text field, type the password and then click decrypt. If they have the right password, they’ll see your message!
A similar site to this is SafeMess. This website will encrypt the message in the same way, but it also offers another nice level of security by destroying the encrypted message after a certain amount of time passes. This means that if you make the message “self-destruct” in 24 hours, even if someone obtains the password a week from the time you create the message, it will no longer decrypt, even with the correct password.
This is a pretty nice level of added security, because you can tell the person in the subject of the encrypted email that they have 24 hours to retrieve the message. After that, it’ll self destruct and no one will ever see that message again.
Encrypting Webmail in Firefox
The next approach to cover is public-key encryption. I’m going to show you how you can use this encryption in your webmail accounts in either Firefox or in Chrome. There used to be a Firefox extension called Gmail S/Mime to encrypt Gmail messages, but the latest evolution of that is an awesome encryption service called Penango. Once you install Penango in FireFox, you can see the general settings and the settings for webmail accounts in the options area.
You aren’t done after you’ve installed Penango. If you want to exchange secure messages, you need to obtain your key. You do this by going toComodo and signing up for one.
Once you sign up at Comodo, there’s a quick button to install the Comodo certificate on your system.
In Firefox, go to Tools and select Certificate Manager. If it installed correctly, you should see your installed certificate listed there. You now have your public/private keys and you’re ready to start sending and receiving secure, encrypted messages.
Open up Gmail and you should immediately see an alert on the screen telling you that Penango is activated and “successfully acquired OAuth token”.
Go ahead and compose a message. You’ll see a few more things that confirm you’ve successfully installed your webmail security system. A message tells you that recipients will be assured you’re the sender. Also, there’s a small “seal of authenticity” stamp on the blue Gmail send button, and in the lower right corner you’ll see buttons to turn on or off email signing, or to turn encryption on or off.
Just keep in mind that your recipient will also need to be registered and set up to receive your encrypted message. Otherwise, you won’t be able to enable encryption.
Encrypted Webmail in Chrome
One of the best plugins in Chrome for encrypted webmail is Mailvelope. Dave also touched on Mailvelope a while back as well. This is my favorite because of the ease of use. Just install the plugin, and go into the options area to see the key manager. If you’ve just installed it, then this area will be empty.
Click on the “Generate Key” link in the left menu to create your public and private keys. Under advanced, you can set the encryption algorithm you want to use if you like. Create a secure passphrase, and then generate the key. The keys are only stored locally in your browser.
Now, when you go back to the “Display Key” list, you’ll see the key that you’ve just created.
When you want to give someone your public key, you’ll just have to click on the export button and display it and copy to clipboard, or send it directly to someone via email.
Once the recipient has the key, you can send them a secure email message by clicking the Mailvelope icon on the right side of the message compose window.
This opens a new application window isolated from the webmail system, where you can type in your email message in plain text, and then click the lock icon to convert it into an encrypted message using your registered keys.
Hitting the transfer button will paste the encrypted text into your Gmail compose window.
Mailvelope works in Webmail systems like Gmail, Yahoo and more – so that you can transmit messages using some of the most secure algorithms available to the public.
Unfortunately, it’s difficult to find many options for Firefox. Penango is one of the best. As far as Chrome goes, you’ve got lots of options in addition to Mailvelope. Mymail-Crypt and SafeGmail are two very good options as well. Another option is to use secure and encrypted email providerservices.
Don’t get me wrong. No one is saying that you can outsmart an organization like the NSA with something like public-key encryption, but at least you can give Big Brother a bit of a hard time when it comes to getting access to those messages. Make them go through the trouble of figuring out what algorithm you used, or having to break your passcode. Either way, it might at least prevent open scanning of the messages unless they have just cause to break into those email transmissions.
These days, it isn’t just the government you have to worry about. Foreign countries spy on citizens of other countries. Companies spy on the employees of their competitors. The risks are everywhere, so why not take the extra step and lock down your sensitive email messages?
Have you ever used any of these services? Do you have any other encryption methods you like to use? Share your thoughts and feedback in the comments section below!