For years, I’m using Pine linked with GnuPG to sign and/or encrypt my e-mails (if you are interested in exchanging secure content with me, my PGP key is available here). I’m using SSH to connect to my server where I start Pine and manage my mailboxes. This is a secure setup but, to be honest, not very user friendly. HTML e-mails (even if I try to avoid them like pest) and attached documents are difficult to handle. That’s why I’m also using a gmail.com account. Google allows you to define several accounts and send e-mails from their webmail using different source addresses. That’s really nice to use only one e-mail address. But what about privacy in this case? Google solution lacks of encryption. PGP (“Pretty Good Privacy“) is the right solution to encrypt/sign data. It is based on asymmetric keys encryption. GnuPG is the free implementation of the OpenPGP standard as defined by RFC4880.
I read on Korben’s blog an article about FireGPG, a Firefox extension which add encryption and signature to your browser content. Check out the official FireGPG website.
Once installed, FireGPG provides an integrated interface to apply GnuPG operations to the text of any web page, including encryption, decryption, signing, and signature verification. What a wonderful world, it also interacts with Gmail! It looks like other webmail interfaces will be supported in the future.
Note: FirePGP relies on a working GnuPG configuration to work properly (it’s installed by default on most Linux distribution). Please refer to the GnuPG documentation if you need to install it. Once done, generated your key pair or import your existing one.
The first usage of FireGPG is to use the classic feature of GnuPG from your browser. As example, once you installed the extension, point to the following URL: http://www.rootshell.be/xavier.gpg. FireGPG will detect the PGP signature and should display something like:
Other operations are possible on selected content in a browser windows: encrypt, sign, import or export key via the context menu:
By launching the text-editor, it’s possible to write your text and perform all the operations directly on it. A key-manager is also included. Regarding security, FireGPG allows you to temporary cache your passwords (for the current Firefox session only) or to clear the current cache.
But the coolest feature of FireGPG is the integration with Gmail. The HTML code is rewritten on the fly and the missing features to sign or encrypt your e-mails are added by FireGPG:
This Firefox add-on is a must have for people who need to exchange secured information using PGP keys. If you aren’t a regular user of asymetric keys, I’d recommend first to learn how it work then you’ll discover the power of FireGPG.
Important remarks: Signed or encrypted e-mails are delivered by FireGPG itself! By default, it opens a secure SMTP (SMTPS) connection with smtp.gmail.com which requires user authentication. This means that your local firewall policy must allow outgoing SMTPS connection to the Internet (TCP/465). If needed, the outgoing SMTP relay can be changed via the options windows. Keep this in mind if your environment is very restricted!
mutt also has GnuPG integration. And for Thunderbird, the Engimail addon is irreplaceable.