Google'es End-to-End

James Murphy jtmurphy at cmu.edu
Tue Jun 3 18:06:29 PDT 2014


On 6/3/2014 20:08, rysiek wrote:
> Dnia wtorek, 3 czerwca 2014 19:55:16 James Murphy pisze:
>> On 6/3/2014 18:42, tpb-crypto at laposte.net wrote:
>>>> Message du 04/06/14 00:29
>>>> De : "rysiek"
>>>>
>>>> OHAI,
>>>>
>>>> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
>>>>>> not sure what to think about this one:
>>>>>> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encr
>>>>>> ypt
>>>>>> ion-easier-to.html
>>>>>>
>>>>>> Technical specs:
>>>>>> https://code.google.com/p/end-to-end/
>>>>>
>>>>> If you want to land on a watch-list and maybe no-fly list, you just
>>>>> install
>>>>> it in your Chrome. Because as far as we can tell Google is in bed with
>>>>> the
>>>>> NSA and so the proprietary browser may just flag you to the system and
>>>>> done
>>>>> you are, or may forward all your messages in the clear. Who knows? Which
>>>>> is
>>>>> worst?
>>>>>
>>>>> That's why there is not foocking way to trust proprietary software.
>>>>> Companies are forced to act like criminals on behalf of the government.
>>>>> There is no loyalty, respect, ethics, honesty or even business which the
>>>>> US
>>>>> government won't try to trample upon.
>>>>>
>>>>> If one wants to go crypto, he goes all the way with OpenBSD, Tails,
>>>>> Kali,
>>>>> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
>>>>>
>>>>> lol
>>>>
>>>> A heck with it, why not -- I'll play the Google's advocate here.
>>>>
>>>> So, the extension itself will be FLOSS, as I understand, so the extension
>>>> itself will be audit-able (inb4 openssl, truecrypt). And as I understand
>>>> it
>>>> *will* be installable in Chromium too.
>>>>
>>>> Is that an acceptable combination? With such an assumption ("use
>>>> Chromium,
>>>> Luke!"), does End-to-End seem to make sense? Or are there other problems
>>>> we
>>>> need to look into and be wary of?
>>>
>>> With chromium, End-to-End can start looking respectable. But even then
>>> Chromium is cranked by a much smaller team than Firefox and surely
>>> suffers from the same problems OpenSSL has faced for most of its
>>> existence.
>> I went ahead and tried it out. One click to make a key and it integrates
>> into gmail. It's not going to replace PGP for anyone who already has a
>> key pair, but making end-to-end encryption one-click-easy is a shoe in
>> the door for getting the public to start caring about its own privacy
>> (and hence ours).
> 
> Okay, but how does that play with other PGP users? For example, will I be able 
> to verify your signature with my "old" GPG?
> 

It imported my ascii armored RSA public key just fine. Upon testing, it
correctly sent a signed and encrypted message to my RSA key's associated
email. I was not able to verify the signature though since gpg doesn't
support elliptic curve keys (I wonder why not). Presumably (hopefully)
gpg will be adding EC support in the future and this will no longer be
an issue.



More information about the cypherpunks mailing list