Mailvelope

Last updated
Mailvelope
Developer(s) Mailvelope GmbH
Initial release2012;11 years ago (2012)
Stable release
5.1.1 [1] / 13 October 2023;3 days ago (2023-10-13)
Repository mailvelope on GitHub
Written in JavaScript
Platform web browser
Type browser extension
License AGPL (free software)
Website www.mailvelope.com

Mailvelope is free software for end-to-end encryption of email traffic inside of a web browser (Firefox, Chromium or Edge) that integrates itself into existing webmail applications ("email websites"). It can be used to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client (like Thunderbird) using the OpenPGP standard.

Contents

The name is a portmanteau of the words "mail" and "envelope". It is published together with its source code under the terms of version 3 of the GNU Affero General Public License (AGPL). The company Mailvelope GmbH runs the development using a public code repository on GitHub. Development is sponsored by the Open Technology Fund and Internews. [2]

Similar alternatives had been Mymail-Crypt [3] and WebPG. [4]

Features

Mailvelope equips webmail applications with OpenPGP functionality. Support for several popular providers like Gmail, Yahoo, Outlook on the web and others are preconfigured. [5] [6] The webmail software Roundcube senses and supports Mailvelope as of version 1.2 from May 2016, as well as most (self-hosted) webmail clients. [7] For Chromium/Chrome there's the possibility to install from an authenticated source using the integrated software extension manager "Chrome Web Store". [8] In addition, Mailvelope is also available for Firefox and Microsoft Edge as an add-on.

Mailvelope works according to the OpenPGP standard, a public-key cryptosystem first standardized in 1998 and is written in JavaScript. On preset or user-authorized web pages it overlays the page with its control elements, which are optically distinguished as being separate from the web application by a surrounding security-background. This background can be customized to detect impersonations. [4] For encryption it relies on the functionality of the program library OpenPGP.js, a free JavaScript Implementation of the OpenPGP standard. By running inside a separate inline frame, its code is executed separately from the web application and should prevent it from accessing clear text message contents. [3]

The integration of Mailvelope via an API, developed in collaboration with United Internet, allows deeper integration between the webmail service and Mailvelope components. Thus, the setup and generation of a key pair can be done directly in the webmailer using a wizard. Mailvelope manages all OpenPGP keys locally in the browser. [9] Since version 3.0, a local GnuPG installation can be included in Mailvelope's key management, allowing users to use native applications if desired. [10]

History and usage

Thomas Oberndörfer started developing Mailvelope in spring 2012 with the first public version 0.4.0.1 released on August 24. The global surveillance disclosure raised questions about the security of private and business email communication. At the time, e-mail encryption with OpenPGP was considered too complicated to use. Moreover, the webmail services that were particularly popular with private individuals did not offer any end-to-end encryption functions. This led to various mentions of Mailvelope in the press as a possible solution to this problem. [11] [12] [13]

Mario Heiderich and Krzysztof Kotowicz of Cure53 did a security audit on an alpha version from 2012/2013. [8] Among other things, the separation from the web application and its data structures was improved based on its findings. In February 2014, the same group analysed the library OpenPGP.js which Mailvelope is based on. Version 0.8.0, released the following April, adopted the resulting fixes and added support for message signing. In May 2014, iSEC Partners published an analysis of the Firefox extension. [4] Version 1.0.0 was published on August 18, 2015.

In April 2015, De-Mail providers equipped their services with a default disabled option for end-to-end encryption based on Mailvelope, but it could only be used in combination with Mobile TAN or the German electronic identity card. [14] The new version of the extension was released in May 2015. In August 2015, the email services of Web.de and GMX introduced support for OpenPGP encryption and integrated Mailvelope into their webmail applications for that. According to the company's own information, this option to encrypt e-mails in this way was available to around 30 million users. [15]

A 2015 study examined the usability of Mailvelope as an example of a modern OpenPGP client and deemed it unsuitable for the masses. They recommended integrating assistant functionality, sending instructive invitation messages to new communication partners, and publishing basic explanatory texts. [16] The Mailvelope-based OpenPGP system of United Internet integrates such functionality and its usability earned some positive mentions in the press, particularly the offered key synchronization feature. [17] [9] A usability analysis from 2016 found it to still be "worthy of improvement" ("verbesserungswürdig"), though, and mentioned "confusing wording" ("irritierende Formulierungen"), missing communication of the concept, bad password recommendations, missing negative dissociation of the more prominent modus that features only transport encryption, plus insufficient support for key authenticity checking (to thwart man-in-the-middle attacks). [4]

Mailvelope was enhanced in 2018/19 as part of a BSI initiative. [18] Overall, the "key management was simplified, and security of the software improved." All security vulnerabilities in the Mailvelope source code, as well as in the OpenPGP.js program library used, brought to light by a security audit conducted by SEC Consult were closed. [19] [20] According to the BSI, one goal of the project was also to enable website operators to offer contact forms in the future to securely encrypt messages from the user's browser to the recipient. The import of new keys would be HTTPS-encrypted using the WKD (Web Key Directory) protocol. [19]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">GNU Privacy Guard</span> Complete implementation of the OpenPGP and S/MIME standards

GNU Privacy Guard is a free-software replacement for Symantec's PGP cryptographic software suite. The software is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP-compliant systems.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

<span class="mw-page-title-main">Webmail</span> Email service that can be accessed using a web browser

Webmail is an email service that can be accessed using a standard web browser. It contrasts with email service accessible through a specialised email client software. Examples of webmail providers are AOL Mail, Proton Mail, Gmail, GMX Mail, Mailfence, Outlook.com/Hotmail.com, and Yahoo! Mail. Additionally, many internet service providers (ISP) provide webmail as part of their internet service package. Similarly, some web hosting providers also provide webmail as a part of their hosting package.

<span class="mw-page-title-main">Mozilla Thunderbird</span> Free and open-source email client by Mozilla

Mozilla Thunderbird is a free and open-source cross-platform email client, personal information manager, news client, RSS and chat client that is operated by the Mozilla Foundation's subsidiary MZLA Technologies Corporation. Thunderbird is an independent, community-driven project that is managed and overseen by the Thunderbird Council, which is elected by the Thunderbird Community. The project strategy was originally modeled after that of Mozilla's Firefox web browser and is an interface built on top of that web browser.

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July, 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

The Internet Messaging Program or IMP is a webmail client. It can be used to access e-mail stored on an IMAP server. IMP is written in PHP and a component of the collaborative software suite Horde.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

<span class="mw-page-title-main">GMX Mail</span> Free, ad-supported email service by GMX

GMX Mail is a free advertising-supported email service provided by GMX. Users may access received GMX Mail via webmail, or using POP3 or IMAP4 protocols. Mail is sent using SMTP. Founded in 1997, GMX is a subsidiary of United Internet AG, a stock-listed company in Germany, and a sister company to 1&1 Internet and Fasthosts Internet. In addition to an email address, each GMX account includes a Mail Collector, Address Book, Organizer, and File Storage. Every user can register up to 10 individual GMX email addresses. Popup ads are displayed to all users, including premium, at GMX login; as of 2021 GMX was the only large email provider using popup ads.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016; HelpSystems changed its name to Fortra in November 2022. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

<span class="mw-page-title-main">Mailpile</span>

Mailpile is a free and open-source email client with the main focus of privacy and usability. It is a webmail client, albeit one run from the user's computer, as a downloaded program launched as a local website.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

<span class="mw-page-title-main">Tutanota</span> Free and open-source end-to-end encrypted email software and host

Tutanota is an end-to-end encrypted email app and a freemium secure email service. The service is advertisement-free; it relies on donations and premium subscriptions. As of March 2017, Tutanota's owners claimed to have over 2 million users of the product.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is a secure and encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by ContactOffice Group, which has been operating an online collaboration suite for universities and other organizations since 1999.

<span class="mw-page-title-main">OpenKeychain</span>

OpenKeychain is a free and open-source mobile app for the Android operating system that provides strong, user-based encryption which is compatible with the OpenPGP standard. This allows users to encrypt, decrypt, sign, and verify signatures for text, emails, and files. The app allows the user to store the public keys of other users with whom they interact, and to encrypt files such that only a specified user can decrypt them. In the same manner, if a file is received from another user and its public keys are saved, the receiver can verify the authenticity of that file and decrypt it if necessary. As of August 2021, it is no longer actively developed.

Autocrypt is a cryptographic protocol for email clients aiming to simplify key exchange and enabling encryption. Version 1.0 of the Autocrypt specification was released in December 2017 and makes no attempt to protect against MITM attacks. It is implemented on top of OpenPGP replacing its complex key management by fully automated unsecured exchange of cryptographic keys between peers.

mailbox.org Encrypted email and web service provider in Germany

mailbox.org is an encrypted email service provider based in Germany. The encryption system uses PGP like most other encrypted email providers. It also features address books, calendars, video conferencing, online office and tasks management. It competes against Office365 and GSuite as a German based provider. Its target customers include private, business, school and public authorities.

References

  1. "Release Mailvelope 5.1.1 · mailvelope/Mailvelope". GitHub .
  2. "Mailvelope: PGP for Gmail & Webmail". mailvelope.com. Retrieved 2022-03-02.
  3. 1 2 Akash Badshah; Anurag Kashyap; Kenny Lam; Vikas Velagapudi, SendSecure (courses.csail.mit.edu) (in German)
  4. 1 2 3 4 Verena Schochlow; Stephan Neumann; Kristoffer Braun; Melanie Volkamer (2016), "Bewertung der GMX/Mailvelope-Ende-zu-Ende-Verschlüsselung", Datenschutz und Datensicherheit (in German), Wiesbaden: Springer Fachmedien, vol. 40, no. 5, pp. 295–299, doi:10.1007/s11623-016-0599-5, S2CID   12246719
  5. "Mailvelope". Right to Hide (in German). Hungarian Civil Liberties Union (HCLU). Archived from the original on 2016-09-26. Retrieved 2016-09-26.
  6. "FAQ | Mailvelope". mailvelope.com. Retrieved 2022-03-02.
  7. "PGP-Unterstützung: Neuer Roundcube-Webmailer veröffentlicht". Golem.de (in German). Retrieved 2016-09-25.
  8. 1 2 Mario Heiderich; Krzysztof Kotowicz, Pentest-Report Mailvelope 12.2012–02.2013 (cure53.de) (in German)
  9. 1 2 Bleich, Axel Kossel (21 August 2015). "GMX und Web.de integrieren PGP in ihre Mail-Dienste". C't (in German). Vol. 2015, no. 19. p. 40. Retrieved 2015-12-28.
  10. "BSI-Projekt 'Weiterentwicklung von Mailvelope'". Bundesamt für Sicherheit in der Informationstechnik (in German). Retrieved 2022-03-02.
  11. Finley, Klint. "Google's Revamped Gmail Could Take Encryption Mainstream". Wired. ISSN   1059-1028 . Retrieved 2022-03-02.
  12. Tufnell, Nicholas (2015-03-06). "21 tips, tricks and shortcuts to help you stay anonymous online". the Guardian. Retrieved 2022-03-02.
  13. Russon, Mary-Ann (2015-03-06). "How to encrypt your emails using PGP to keep your secrets safe" . Retrieved 2022-03-02.
  14. "De-Mail integriert Ende-zu-Ende-Verschlüsselung mit PGP". Heise Online (in German). 9 March 2015. Retrieved 2016-09-25.
  15. "Web.de und GMX führen PGP-Verschlüsselung für Mail ein". Heise Online (in German). 20 August 2015. Retrieved 2016-09-25.
  16. Scott Ruoti; Jeff Andersen; Daniel Zappala; Kent Seamons (2015), Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client (in German), arXiv: 1510.08555
  17. Patrick Beuth, "GMX und Web.de: Der schnellste Weg zur verschlüsselten E-Mail" (zeit.de), Die Zeit (in German), Hamburg
  18. "BSI-Projekt 'Weiterentwicklung von Mailvelope'". Bundesamt für Sicherheit in der Informationstechnik (in German). Retrieved 2022-03-02.
  19. 1 2 Scherschel, Fabian (2019-08-23). "PGP-Verschlüsselung für Webbrowser: BSI-Projekt verbessert Open-Source-Software Mailvelope". deise.de (in German). Retrieved 2022-03-02.
  20. Ettlinger, W. (2019). "Mailvelope Extensions - Security Audit".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.