Category Archives: Encryption

Google’s new anti-NSA encryption tool

Posted on by

The National Security Agency's snooping is about to get more difficult.

Google on Tuesday released the source code for a new extension to its Chrome browser that will make it a lot easier for users to encrypt their email.

The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the N.S.A. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes not errors in the actual cryptography often benefited the N.S.A. in its decade-long effort to foil encryption.

"It's important that the government not overstep," Eric Grosse, Google's chief of security, said in an interview last week. "We don't want any government breaking the security of the Internet."

Google's new tool may make the NSA and other intelligence agencies' jobs more difficult. While end-to-end encryption does not eliminate the potential for an attacker or government agency to read a target's messages, it forces them to hack directly into their computer to read messages rather than catching them in transit, or gathering them through a secret court order to their communications provider.

Read MoreHacker hedge fund targets vulnerable companies

Speaking by videoconference at the South by Southwest conference in Austin, Tex., this year, Edward J. Snowden, the former N.S.A. contractor, challenged technologists to offer easier end-to-end encryption, saying it would result in a "more constitutional, more carefully overseen enforcement model."

Until now, technology companies have been hesitant to provide end-to-end encryption because it excludes companies like Google and Yahoo from gathering data from messages that can be sold for targeted advertising. None of the major technology providers have signed on to Dark Mail Alliance, a partnership announced last year by Silent Circle and Lavabit, two privacy-conscious communications providers, that offered companies like Microsoft, Google and Yahoo a new end-to-end encrypted email protocol.

More from The New York Times: iPhone 6 rumors heat up TV apps are soaring in popularity Google glass enters the operating room

Read this article:
Google's new anti-NSA encryption tool

Google plans end-to-end encryption tool for additional email privacy

Posted on by

In an apparent response to ongoing concerns about electronic communications being collected and read by government agencies, Google released its estimates of how much email is being sent, unencryptedas well as a tool to do something about it.

Googles transparency report indicates that about half of the email passed to its servers isnt encrypted, while about 65 percent of the email sent from Google elsewhere is. Googles Gmail service itself uses HTTPS and offers encryption from the browser, but that doesnt matter if its being sent to a provider that doesnt use it.

The important thing is thatbothsides of an email exchange need to support encryption for it to work; Gmail cant do it alone, Brandon Long, a member of the Gmail delivery team, wrote in a blog post. Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers arent encrypted. Many providers have turned on encryption, and others have said theyre going to, which is great news. As they do, more and more emails will be shielded from snooping.

Numerous reports have surfaced, many sourced from documents leaked by Edward Snowden, about the governments intrusion into the email and digital information owned by Americans. The NSA collects email addresses and chat addresses; and allegedly read millions of private emailsin numerous programs reportedly dating back to the weeks after the Sept. 11, 2001 attacks.

The safermail report, then, acts as a sort of name and shame page for consumers. Email sent to and from the Comcast.net domain, for example, is almost always sent without encryption, while all email sent to the facebook.com domain is. (About 50 percent of emailfrom Facebook.com is unencrypted, however.)

The End to End extension, however, is designed to help users fight back. End to End is a future Chrome extension that will use OpenPGP to encase email in a secure wrapper that can be opened onlyby the recipient. Eventually, it will be released to the Chrome Web Store as a Chrome extension. For now, however, Google said it was encouraging developers to find, and report, any bugs before its general release.

We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection, Stephen Somogyi, a product manager for Google, wrote. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.

The rest is here:
Google plans end-to-end encryption tool for additional email privacy

New Chrome extension hopes to demystify encryption

Posted on by

A promotional image from Google's new Transparency Report section on Web-based email. Google wants to make it harder to spy on webmail by encouraging more webmail providers to adopt serevr-to-server encryption. Google

Google launched a two-pronged attack against unencrypted email on Tuesday, divulging which webmail providers don't encrypt their customers' webmail in a new Transparency Report update, while making it easier for individuals to implement the tough email encryption standard known as Pretty Good Privacy, or PGP, with a new browser add-on called End-to-End.

An update to Google's Transparency Report published today introduces a new section called Safer Email. Based on traffic Google sees from Gmail, the section describes a world of webmail where only about half of all email sent is encrypted from server to server.

This is important because webmail that is sent between servers that has not been encrypted can be spied upon with relative ease, similar to the difference between sending a letter in an envelope and an open postcard. If the entire chain of communication isn't encrypted from the starting server to final destination server, the email essentially has no protective envelope.

When Google's webmail competitors don't provide server-to-server email encryption, it exposes Gmail users, too. Screenshot by Seth Rosenblatt/CNET

"Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren't encrypted," wrote the Gmail Delivery Team tech lead Brandon Long, although he chose an encouraging tone over a scolding one.

"Many providers have turned on encryption, and others have said they're going to, which is great news," he wrote in a blog post announcing the update to the report.

Google wants webmail providers large and small to adopt Transportation Layer Security (TLS) to encrypt email and other data sent between its servers. While Gmail uses TLS in all its transmissions, Google's report says that currently, only 65 percent of messages sent from Gmail to other providers are received by a webmail provider using TLS. Messages sent to Gmail from other webmail systems fare even worse, with only 50 percent of them originating from companies that use TLS.

While Google's charts show that there's been a slight uptick recently, it's too recent to confirm as a trend. Google also provided interactive lists that chart which providers encrypt email in transit.

Google's Transparency Report charts show that some of the biggest offenders are major webmail vendors such as Microsoft, Apple, and Comcast. Screenshot by Seth Rosenblatt/CNET

See original here:
New Chrome extension hopes to demystify encryption

Gazzang buy gives end-to-end encryption for Cloudera Hadoop

Posted on by

IDG News Service - Cloudera will incorporate technology from its acquisition of encryption software provider Gazzang into Apache Hadoop so that industries with stringent security regulations can use the big-data processing platform.

Gazzang's technology will permit Hadoop use by organizations that have legal requirements to encrypt data across the entire system, said Mike Olson, Cloudera chief strategy officer. Terms of the acquisition, announced Tuesday, were not disclosed.

Regulations such as the health care industry's Health Insurance Portability and Accountability Act, retail's Payment Card Industry and Europe's Data Protection Directive, all require end-to-end encryption.

"Those folks need very strong security guarantees," Olson said.

Cloudera has already made Gazzang's encryption and key management software available for download to Cloudera customers and is folding the technology into the Cloudera Enterprise distribution.

Cloudera Enterprise already comes with many encryption capabilities -- for instance, data stored on the HDFS (Hadoop File System) can be encrypted.

But other parts of Hadoop do not have built-in encryption. Data that comes into the system from one of the streaming engines, such as Apache Sqoop, is not encrypted. Nor is metadata, the catalog data that describes the data being stored. Configuration information about a Hadoop cluster is not routinely encrypted either.

"There are pockets of data that need to be encrypted. Gazzang does that across the platform," Olson said.

Gazzang also provides a central, industrial-strength, registry for the keys used to encrypt and decrypt data.

"No vendor in the Hadoop space right now offers integrated security encryption and key management for the platform," Olson said.

Follow this link:
Gazzang buy gives end-to-end encryption for Cloudera Hadoop

Google, in promoting encryption, calls out Microsoft and Comcast

Posted on by

Encryption is like a relationship -- both parties need to be on the same page for it to work. And Microsoft and Comcast are apparently not on Google's page.

Google began a campaign Tuesday to raise awareness around encryption, and in the process it reported that less than 1 percent of emails sent during May from Gmail to Comcast.net accounts were encrypted in transit.

For Microsoft's Hotmail service (now called Outlook.com), just over half of emails to and from Google were encrypted. Outlook.com users can enable encryption but, unlike with Gmail, it's not turned on by default.

Google's figures appear in a new section in its transparency report that aims to give people better information on the security of their email.

The use of encryption has gained added attention since last year's leaks about U.S. government surveillance, prompting more service and software providers to promise customers they'll keep their data safe.

Encryption is meant to scramble messages and other data so it can only be read by the sender and receiver. Google has been encrypting all Gmail messages by default since 2010.

But encryption only works when it's supported by email providers at both ends of an exchange. In the figures it released Tuesday, Google said between 40 percent and 50 percent of all emails sent between Gmail and other providers during May were not encrypted in transit.

Yahoo fared better than others. Ninety-nine percent of inbound messages from Yahoo to Gmail accounts were encrypted, while 100 percent of outbound messages were.

Google's numbers don't reveal the proportion of emails encrypted within each provider's own walls. So it's possible that all messages sent among Microsoft's own users were encrypted, for example.

Microsoft said late last year that it would be expanding encryption across its services, with plans to encrypt all of its key communications services by the end of 2014.

More:
Google, in promoting encryption, calls out Microsoft and Comcast

Google Tries to Make Encryption Hip

Posted on by

Is encryption the new black?

Google on Tuesday touted its use of encryption on email messages, which turns the messages into garble that can only be read with a key. Google began encrypting email by default in 2010.

Tuesday, it highlighted for users that encryption only protects messages if both parties use it. And it called out other email providers including Comcast and Frances Orange for not using encryption.

On one day last month, for instance, fewer than 1% of Gmail messages sent to Comcast.net email addresses remained encrypted and none of the messages sent to Frances Orange service were scrambled, Google said.

Fewer than half of the messages sent to and from Microsofts Hotmail servers were encrypted. In a December blog post, Microsoft said it is working with other email providers to make sure messages remain encrypted.

Microsoft, Comcast and Orange could not immediately be reached for comment.

In the year since former National Security Agency contractor Edward Snowden released previously confidential documents showing the extent of the NSAs electronic monitoring, many companies have offered apps and gadgets promising to keep the NSA out of your inbox likely an overstated marketing claim.

Yet theres little evidence yet that consumers are flocking to the technology.

Still, Christopher Soghoian, a technologist at the American Civil Liberties Union, says Googles step Tuesday could help drag other tech companies forward.

Googles naming. We can shame, Soghoian said. And we will.

View post:
Google Tries to Make Encryption Hip

Google boosts Chrome encryption amid email warning

Posted on by

Summary: The Internet giant tries to convey to users that many emails are not secure once it leaves Google's hands.

Google routinely publishes reports to establish transparency into how often responds to data requests from law enforcement agencies, but its latest update pertains more to industry competitors.

The Internet giant issued a memo on Tuesday -- a reminder to some and maybe a heads-up to others -- that while Google might promise to keep emails encrypted within its bounds, it can't say the same when messages float beyond its digital grasp.

In fact, Google estimated that between 40 and 50 percent of emails sent between Gmail and other email providers arent encrypted at all.

Brandon Long, the tech lead for the Gmail Delivery Team, offered a real world comparison in a blog post on Tuesday to nail home the point for Internet users of all proficiency levels:

When you mail a letter to your friend, you hope shell be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. Thats why we send important messages in sealed envelopes, rather than on postcards.

Email works in a similar way. Emails that are encrypted as theyre routed from sender to receiver are like sealed envelopes, and less vulnerable to snoopingwhether by bad actors or through government surveillancethan postcards.

While acknowledging other email providers to encrypt their emails too (albeit without naming names), Long noted a few public service announcements intended to nudge others to do the same.

That starts with a new section in Google's Transparency Report dedicated to promoting safer email infrastructures.

Google also has a few other security-minded announcements this week, including End-to-End, a new Chrome extension powered by OpenPGP, an open standard touted to be supported by existing encryption tools.

Read more:
Google boosts Chrome encryption amid email warning

More turn to encrypted email amid spying fears

Posted on by

SAN FRANCISCO -- The volume of email cloaked in encryption technology is rapidly rising as Google, Yahoo, Facebook and other major Internet companies try to shield their users' online communications from government spies and other snoops.

Google and other companies are now automatically encrypting all email, but that doesn't ensure confidentiality unless the recipients' email provider also adopts the technology.

In an analysis released Tuesday, Google said that about 65 percent of the messages sent by its Gmail users are encrypted while delivered, meaning the recipient's email provider also supports the technology. That's up from 39 percent in December. Incoming communiques to Gmail are lesas secure. Only 50 percent of them encrypted while in transit, up from 27 percent in December.

The volume of email cloaked in encryption technology is rapidly rising as major Internet companies try to shield their users' online communications from government spies and other snoops. (AP Photo/Damian Dovarganes, File)

Encryption reduces the chances that email can be read by interlopers. The technology transforms the text into coding that looks like gibberish until it arrives at its destination.

Google and other Internet services rely on a form of encryption known as Transport Layer Security, or TLS. Security experts say that encryption method isn't as secure as other options. But encryption that is tougher to crack is also more complicated to use.

Gmail, with more than 425 million accounts worldwide, was one of the first free email services to embrace TLS. Yahoo, Facebook and AOL also are encrypting their email services. Microsoft Corp., whose stable of email services includes the Outlook, MSN and Hotmail domains, has started encrypting many accounts as part of transition that won't be completed until later this year.

Less than half of the correspondence from a Hotmail account to Gmail isn't encrypted as of late May, Google said. Security is even worse at Comcast.net and Verizon.net, where less than 1 percent of the traffic coming to and from Gmail is encrypted, according to Google.

The Google report comes a year after the first wave of media reports about the U.S. government's intrusive techniques to monitor online communications and other Internet activity. The National Security Administration says its online surveillance focused on people living outside the U.S. as the agency tried to defuse threats of terrorism.

After lashing out at the government spying, Google and other Internet companies began encrypting email and other online services in an attempt to reassure users worried about their privacy. The Internet companies are hoping their efforts to thwart government surveillance will make Web surfers feel comfortable enough to continue to visit their services. The companies make more money from online ads if their audiences keep growing.

More:
More turn to encrypted email amid spying fears