PGP-Encryption for GMX and WEB.DE

By Thomas Oberndörfer - August 20, 2015

The two major German email providers GMX and WEB.DE today announced the availability of PGP encryption based on Mailvelope. A great deal of development efforts was put into the Mailvelope Open Source Project over the past 12 months resulting from the collaboration between 1und1 and Mailvelope GmbH, and as of today, the 30 million clients subscribing with GMX and can start using the integrated End-to-End encryption for the first time.

The Focus is on the User

The groundbreaking convergence of browser extension and web application has reached an unparalleled degree of user friendliness without compromising security. That way, Mailvelope contributes significantly in making secure communication a viable and attractive solution for the everyday user.

Using a Mailvelope API (Application Programming Interface) that is basically utilizable for other providers, secure containers inside the GMX and WEB.DE email clients are generated, within which PGP messages (and file attachments) can be read and generated. The user is able to identify the Mailvelope containers through an individual security backdrop at any given moment, and at no time will confidential data reach the Mail provider without encryption.

End-to-End Encryption

This is where Mailvelope stands out from server-side PGP-solutions such as OX Guard / These may contribute to a further prevalence of PGP, but they cannot be regarded as End-to-End Encryption: the private key is on the server; the messages are encrypted and decrypted directly at the provider, which is why the User always needs to rely on the server and the provider. The contention that this is a protection against unsafe end devices falls short of the issue it is trying to address because when using this approach, the message and the files arrive at the end device without encryption in each instance, which is why the security of the data always depends on the quality of the end device. The server-side approach makes for centralized structures that constitute potentially worthwhile targets for attacks.

Key Distribution

Mailvelope addresses the issue of assigning the private key to several end devices through a generated 26-digit retrieval code. This code is generated on initial setup in an optional step and will then be entered by the User on all other devices. Following, the private key can be synchronized from the cloud. The package containing the private key has a strong encryption (AES-256) and can only be opened using the 26-digit randomized password. This encryption has a very high level of security and, according to current knowledge, will not be vulnerable to cracking beyond 2030. Experts in the field agree that the weak spots of any system concerning secure communication are not found in current algorithms such as AES, or, like Snowden has put it, “Encryption works“.

Utilization of Mobile Devices

After initial setup, mobile devices such as the iOS and Android apps by GMX and WEB.DE can be used for PGP encryption. In this case, also the contacts (public keys) of the User are synchronized. Once a contact has been added (with optional fingerprint verification) to Mailvelope, it will then automatically be synchronized to other devices. To accomplish that, Mailvelope taps provider-neutral formats.

The options for implementing cryptography in the browser have expanded significantly in recent years. The following articles provide an assessment on the current stage of development and are applicable to JavaScript- based browser extensions such as Mailvelope: "JS crypto goto fail?"Google end-to-end threat model.