Now FireGPG is a pretty good idea. It integrates GnuPG into Gmail and Gmail for your domain which I use through out my personal sites as well as my employers email solution. The Firefox plugin adds a couple of extra buttons as seen below and gives you the ability to choose keys, find keys and automatically detect encrypted emails.
Making this easy enough that potentially anyone within even a small corporation could use this asortment of free tools. Gmail + Firefox + FireGPG + GnuPG.Now there are major design issues, at least for me they are major issues.
To Summarize:
FireGPG
Pros:
- You write your email in the gmail interface in plaintext before its encrypted. If you don't use a plugin such as Lifehacker's BetterGmail2 plugin, gmail defaults to HTTP instead of HTTPS, which means that during writing of your email it gets transported plaintext to the google server to be saved as a draft. This makes the encryption afterwards just a bit silly. You've already just transmitted 10 plaintext drafts of your email, now you encrypt it... While that makes a little more secure it certainly still opens the email up for interception.
- The second issue is this: Now you use BetterGmail2, have it use HTTPS by default. Plaintext email is not floating around on the way to Google. But Google still saves drafts while you type the email and before it is encrypted. So odds are somewhere on some google server there is a plaintext copy of this email you just send via GnuPG. Google, a company which I admire, has a pretty good privacy record. Yet the point behind using GnuPG or PGP or any email encryption is that its for your recipients eyes only. It's not desireable to have a plaintext copy anywhere that you can not physically prevent access to.
To Summarize:
FireGPG
Pros:
- Fast & Great Gmail integration
- makes encryption easy to use
- Free
- Somewhat unstable for me
- Due to Gmail design decisions it is not 100% secure and a plaintext copy will most likely be floating around in a cache somewhere.
No comments:
Post a Comment