Blog | GnuPG and WKD

Mailvelope 3.0: Encrypted Web Forms

By Thomas Oberndörfer - December 11, 2018

With the new version 3.0, which can look back on a relatively long development period (from January to August 2018), Mailvelope is extended by two completely new possible applications. In addition to e-mails, form data can now also be transmitted end-to-end encrypted in the Web. Apart from that, the connection to GnuPG offers increased security and flexibility.

GnuPG Integration

With the GnuPG integration, we are now able to address also those users who were skeptical about the use of cryptography in browsers: As of version 3.0, a locally installed GnuPG application (e.g. Ggp4win or GPGTools) can also be integrated into Mailvelope.

The user now has the choice whether they want to have the key management and encryption routines done by OpenPGP.js or by the locally installed GnuPG application. A welcome side effect of this new flexibility of Mailvelope is that security has been increased by a further step. On the one hand, security tokens such as a smart card can now also be used in conjunction with Mailvelope, and on the other hand, the private keys in GnuPG are better protected if the browser is compromised.

More about GnuPG integration and the possibilities of using hardware tokens will soon be available in a separate blog article.

Encrypted Web Forms

Version 3.0 is a further development that opens Mailvelope for future applications beyond email encryption. The use of web forms is widespread and the new General Data Protection Regulation (GDPR) is not the first to make it clear that confidential data is often transmitted in this context.

Mailvelope now offers the possibility to define forms in a certain format so that the data can only be read by a selected recipient. The Mailvelope Browser extension takes over the encryption and packages the form data in a secure OpenPGP message.

A technical documentation on encrypted forms is available in the Mailvelope Wiki, further examples of usage will be published soon.

Web Key Directory

At the beginning of an encrypted communication with OpenPGP, the public key of the communication partners must first be exchanged. In order to guarantee a process that is as user-friendly as possible, we already chose a central approach in 2016, the Mailvelope Key Server, to simplify and partially automate the exchange of keys.

Starting with version 3.0, we now also support a standardized procedure that follows a decentralized approach: With Web-Key-Directory, the keys can be retrieved directly from the e-mail provider's website, provided the latter supports the procedure.

Update of OpenPGP.js

In Mailvelope 3.0, the encryption library OpenPGP.js has been updated to version 4.2. In addition to numerous improvements, Mailvelope thus receives support for the ECC (Elliptic Curve Cryptography) encryption method. In addition, this update of OpenPGP.js also improves security (release notes OpenPGP.js 4.2).

The new developments in version 3.0 were made possible by a project of the German Federal Office for Information Security (BSI). We’d like to thank all participants for the good cooperation and the associated improvements of Mailvelope.