Mailvelope

Last updated
Mailvelope
Developer(s) Mailvelope GmbH
Initial release2012;12 years ago (2012)
Stable release
5.1.1 [1] / 13 October 2023;13 months ago (2023-10-13)
Repository mailvelope on GitHub
Written in JavaScript
Platform web browser
Type browser extension
License AGPL (free software)
Website www.mailvelope.com

Mailvelope is free software for end-to-end encryption of email traffic inside of a web browser (Firefox, Chromium or Edge) that integrates itself into existing webmail applications ("email websites"). It can be used to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client (like Thunderbird) using the OpenPGP standard.

Contents

The name is a portmanteau of the words "mail" and "envelope". It is published together with its source code under the terms of version 3 of the GNU Affero General Public License (AGPL). The company Mailvelope GmbH runs the development using a public code repository on GitHub. Development is sponsored by the Open Technology Fund and Internews. [2]

Similar alternatives had been Mymail-Crypt [3] and WebPG. [4]

Features

Mailvelope equips webmail applications with OpenPGP functionality. Support for several popular providers like Gmail, Yahoo, Outlook on the web and others are preconfigured. [5] [6] The webmail software Roundcube senses and supports Mailvelope as of version 1.2 from May 2016, as well as most (self-hosted) webmail clients. [7] For Chromium/Chrome there's the possibility to install from an authenticated source using the integrated software extension manager "Chrome Web Store". [8] In addition, Mailvelope is also available for Firefox and Microsoft Edge as an add-on.

Mailvelope works according to the OpenPGP standard, a public-key cryptosystem first standardized in 1998 and is written in JavaScript. On preset or user-authorized web pages it overlays the page with its control elements, which are optically distinguished as being separate from the web application by a surrounding security-background. This background can be customized to detect impersonations. [4] For encryption it relies on the functionality of the program library OpenPGP.js, a free JavaScript Implementation of the OpenPGP standard. By running inside a separate inline frame, its code is executed separately from the web application and should prevent it from accessing clear text message contents. [3]

The integration of Mailvelope via an API, developed in collaboration with United Internet, allows deeper integration between the webmail service and Mailvelope components. Thus, the setup and generation of a key pair can be done directly in the webmailer using a wizard. Mailvelope manages all OpenPGP keys locally in the browser. [9] Since version 3.0, a local GnuPG installation can be included in Mailvelope's key management, allowing users to use native applications if desired. [10]

History and usage

Thomas Oberndörfer started developing Mailvelope in spring 2012 with the first public version 0.4.0.1 released on August 24. The global surveillance disclosure raised questions about the security of private and business email communication. At the time, e-mail encryption with OpenPGP was considered too complicated to use. Moreover, the webmail services that were particularly popular with private individuals did not offer any end-to-end encryption functions. This led to various mentions of Mailvelope in the press as a possible solution to this problem. [11] [12] [13]

Mario Heiderich and Krzysztof Kotowicz of Cure53 did a security audit on an alpha version from 2012/2013. [8] Among other things, the separation from the web application and its data structures was improved based on its findings. In February 2014, the same group analysed the library OpenPGP.js which Mailvelope is based on. Version 0.8.0, released the following April, adopted the resulting fixes and added support for message signing. In May 2014, iSEC Partners published an analysis of the Firefox extension. [4] Version 1.0.0 was published on August 18, 2015.

In April 2015, De-Mail providers equipped their services with a default disabled option for end-to-end encryption based on Mailvelope, but it could only be used in combination with Mobile TAN or the German electronic identity card. [14] The new version of the extension was released in May 2015. In August 2015, the email services of Web.de and GMX introduced support for OpenPGP encryption and integrated Mailvelope into their webmail applications for that. According to the company's own information, this option to encrypt e-mails in this way was available to around 30 million users. [15]

A 2015 study examined the usability of Mailvelope as an example of a modern OpenPGP client and deemed it unsuitable for the masses. They recommended integrating assistant functionality, sending instructive invitation messages to new communication partners, and publishing basic explanatory texts. [16] The Mailvelope-based OpenPGP system of United Internet integrates such functionality and its usability earned some positive mentions in the press, particularly the offered key synchronization feature. [17] [9] A usability analysis from 2016 found it to still be "worthy of improvement" ("verbesserungswürdig"), though, and mentioned "confusing wording" ("irritierende Formulierungen"), missing communication of the concept, bad password recommendations, missing negative dissociation of the more prominent modus that features only transport encryption, plus insufficient support for key authenticity checking (to thwart man-in-the-middle attacks). [4]

Mailvelope was enhanced in 2018/19 as part of a BSI initiative. [18] Overall, the "key management was simplified, and security of the software improved." All security vulnerabilities in the Mailvelope source code, as well as in the OpenPGP.js program library used, brought to light by a security audit conducted by SEC Consult were closed. [19] [20] According to the BSI, one goal of the project was also to enable website operators to offer contact forms in the future to securely encrypt messages from the user's browser to the recipient. The import of new keys would be HTTPS-encrypted using the WKD (Web Key Directory) protocol. [19]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">GNU Privacy Guard</span> Complete implementation of the OpenPGP and S/MIME standards

GNU Privacy Guard is a free-software replacement for Symantec's cryptographic software suite PGP. The software is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP v4-compliant systems.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

<span class="mw-page-title-main">Webmail</span> Email service that can be accessed using a web browser

Webmail is an email service that can be accessed using a standard web browser. It contrasts with email service accessible through a specialised email client software. Additionally, many internet service providers (ISP) provide webmail as part of their internet service package. Similarly, some web hosting providers also provide webmail as a part of their hosting package.

<span class="mw-page-title-main">Mozilla Thunderbird</span> Free and open-source email client by Mozilla

Mozilla Thunderbird is a free and open-source email client that also functions as a personal information manager with a calendar and contactbook, as well as an RSS feed reader, chat client (IRC/XMPP/Matrix), and news client. Operated by MZLA Technologies Corporation, a subsidiary of the Mozilla Foundation, Thunderbird is an independent, community-driven project that is managed and overseen by the Thunderbird Council, which is elected by the Thunderbird community. As a cross-platform application, Thunderbird is available for Windows, macOS, FreeBSD, Android, and Linux. The project strategy was originally modeled after that of Mozilla's Firefox, and Thunderbird is an interface built on top of that Web browser.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

This is a technical feature comparison of different disk encryption software.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

<span class="mw-page-title-main">Mailpile</span>

Mailpile is a free and open-source email client with the main focus of privacy and usability. It is a webmail client, albeit one run from the user's computer, as a downloaded program launched as a local website.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. Proton Mail is now run by Proton AG, which also operates Proton VPN, Proton Drive, Proton Calendar, Proton Pass and Proton Wallet. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com.

<span class="mw-page-title-main">Tuta (email)</span> Free and open-source end-to-end encrypted email software and host

Tuta, formerly Tutanota, is an end-to-end encrypted email app and a freemium secure email service. The service is advertisement-free; it relies on donations and premium subscriptions. As of June 2023, Tutanota's owners claimed to have over 10 million users of the product. The company announced a transition to 100% renewable electricity in March 2019. This decision coincided with employee participation in Fridays for Future protests. On 1st October 2024, Tuta launched its standalone encrypted calendar app. Tuta Mail has recently integrated post-quantum cryptography features through its new protocol - TutaCrypt replacing standard encryption methods like RSA-2048 and AES-256 for its newly created accounts after March 2024.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is secure encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by Belgium-based company ContactOffice Group that has been operating an online collaboration suite since 1999.

<span class="mw-page-title-main">OpenKeychain</span>

OpenKeychain is a free and open-source mobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files. The app allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary. As of August 2021, it is no longer actively developed.

Autocrypt is a cryptographic protocol for email clients aiming to simplify key exchange and enabling encryption. Version 1.0 of the Autocrypt specification was released in December 2017 and makes no attempt to protect against MITM attacks. It is implemented on top of OpenPGP replacing its complex key management by fully automated exchange of cryptographic keys between peers.

<span class="mw-page-title-main">EFAIL</span> Email security vulnerability

Efail, also written EFAIL, is a security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.

<span class="mw-page-title-main">Canary Mail</span> Email client

Canary Mail is an email client that offers artificial intelligence (AI) capabilities backed by technology from OpenAI & Cohere, as well as open-source language models from Hugging Face. The app is available on Windows, macOS, Android, and IOS.

mailbox.org Encrypted email and web service provider in Germany

mailbox.org is an encrypted email service provider based in Germany. The encryption system uses PGP like most other encrypted email providers. It also features address books, calendars, video conferencing, online office and tasks management. It competes against Microsoft 365 and Google Workspace as a German based provider. Its target customers include private, business, school and public authorities.

References

  1. "Release Mailvelope 5.1.1 · mailvelope/Mailvelope". GitHub .
  2. "Mailvelope: PGP for Gmail & Webmail". mailvelope.com. Retrieved 2022-03-02.
  3. 1 2 Akash Badshah; Anurag Kashyap; Kenny Lam; Vikas Velagapudi, SendSecure (courses.csail.mit.edu) (in German)
  4. 1 2 3 4 Verena Schochlow; Stephan Neumann; Kristoffer Braun; Melanie Volkamer (2016), "Bewertung der GMX/Mailvelope-Ende-zu-Ende-Verschlüsselung", Datenschutz und Datensicherheit (in German), vol. 40, no. 5, Wiesbaden: Springer Fachmedien, pp. 295–299, doi:10.1007/s11623-016-0599-5, S2CID   12246719
  5. "Mailvelope". Right to Hide (in German). Hungarian Civil Liberties Union (HCLU). Archived from the original on 2016-09-26. Retrieved 2016-09-26.
  6. "FAQ | Mailvelope". mailvelope.com. Retrieved 2022-03-02.
  7. "PGP-Unterstützung: Neuer Roundcube-Webmailer veröffentlicht". Golem.de (in German). Retrieved 2016-09-25.
  8. 1 2 Mario Heiderich; Krzysztof Kotowicz, Pentest-Report Mailvelope 12.2012–02.2013 (cure53.de) (in German)
  9. 1 2 Bleich, Axel Kossel (21 August 2015). "GMX und Web.de integrieren PGP in ihre Mail-Dienste". C't (in German). Vol. 2015, no. 19. p. 40. Retrieved 2015-12-28.
  10. "BSI-Projekt 'Weiterentwicklung von Mailvelope'". Bundesamt für Sicherheit in der Informationstechnik (in German). Retrieved 2022-03-02.
  11. Finley, Klint. "Google's Revamped Gmail Could Take Encryption Mainstream". Wired. ISSN   1059-1028 . Retrieved 2022-03-02.
  12. Tufnell, Nicholas (2015-03-06). "21 tips, tricks and shortcuts to help you stay anonymous online". the Guardian. Retrieved 2022-03-02.
  13. Russon, Mary-Ann (2015-03-06). "How to encrypt your emails using PGP to keep your secrets safe" . Retrieved 2022-03-02.
  14. "De-Mail integriert Ende-zu-Ende-Verschlüsselung mit PGP". Heise Online (in German). 9 March 2015. Retrieved 2016-09-25.
  15. "Web.de und GMX führen PGP-Verschlüsselung für Mail ein". Heise Online (in German). 20 August 2015. Retrieved 2016-09-25.
  16. Scott Ruoti; Jeff Andersen; Daniel Zappala; Kent Seamons (2015), Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client (in German), arXiv: 1510.08555
  17. Patrick Beuth (24 August 2015), "GMX und Web.de: Der schnellste Weg zur verschlüsselten E-Mail" (zeit.de), Die Zeit (in German), Hamburg
  18. "BSI-Projekt 'Weiterentwicklung von Mailvelope'". Bundesamt für Sicherheit in der Informationstechnik (in German). Retrieved 2022-03-02.
  19. 1 2 Scherschel, Fabian (2019-08-23). "PGP-Verschlüsselung für Webbrowser: BSI-Projekt verbessert Open-Source-Software Mailvelope". deise.de (in German). Retrieved 2022-03-02.
  20. Ettlinger, W. (2019). "Mailvelope Extensions - Security Audit".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.