Google Offers New Encryption Tool
By NICOLE PERLROTH

The National Security Agency’s snooping is about to get more difficult.

Google on Tuesday released the source code for a new extension to its Chrome browser that will make it a lot easier for users to encrypt their email.

The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the N.S.A. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes — not errors in the actual cryptography — often benefited the N.S.A. in its decade-long effort to foil encryption.

“It’s important that the government not overstep,” Eric Grosse, Google’s chief of security, said in an interview last week. “We don’t want any government breaking the security of the Internet.”

Google’s new tool may make the NSA and other intelligence agencies’ jobs more difficult. While end-to-end encryption does not eliminate the potential for an attacker or government agency to read a target’s messages, it forces them to hack directly into their computer to read messages rather than catching them in transit, or gathering them through a secret court order to their communications provider.

Speaking by videoconference at the South by Southwest conference in Austin, Tex., this year, Edward J. Snowden, the former N.S.A. contractor, challenged technologists to offer easier end-to-end encryption, saying it would result in a “more constitutional, more carefully overseen enforcement model.”

Until now, technology companies have been hesitant to provide end-to-end encryption because it excludes companies like Google and Yahoo from gathering data from messages that can be sold for targeted advertising. None of the major technology providers have signed on to Dark Mail Alliance, a partnership announced last year by Silent Circle and Lavabit, two privacy-conscious communications providers, that offered companies like Microsoft, Google and Yahoo a new end-to-end encrypted email protocol.

Privacy activists have criticized Google and other companies for not supporting end-to-end encryption sooner.

“Google wants to sit between you and everyone you interact with and provide some kind of added value,” Christopher Soghoian, the principal technologist of the American Civil Liberties Union, said on the SXSW panel with Mr. Snowden. “They want to be in that connection with you, and that makes it difficult to secure those connections.”

But Google’s announcement on Tuesday showed that the company has heard those concerns.

“We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection,” Stephan Somogyi, a Google privacy and security product manager, wrote in a company blog post. “But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.”

It will take more time for users to put End-to-End into effect. On Tuesday, Google released the early draft of its open source End-to-End code for cryptographers, privacy activists and engineers to inspect for mistakes and back doors. Google’s bug bounty program, called its Vulnerability Reward Program, offers security researchers money if they find security bugs in the code, for End-to-End and other products.

Separately, Google released new numbers on Tuesday in a report showing how far companies still need to go to secure user communications. Google automatically encrypts web traffic as it travels from its servers around the Internet, but if the communications provider on the other end does not also support encryption, then the communications aren’t protected.

Google said 40 to 50 percent of emails sent between Gmail and other email providers are not encrypted. Less than 1 percent of traffic between Google and Comcast is encrypted, for example, while more than 95 percent of traffic between Google, Yahoo, Facebook, Twitter, Craigslist and Amazon remains encrypted.

Charlie Douglas, a Comcast spokesman, said the company was currently testing encryption with large websites and email providers and planned to turn on encryption with Google in a matter of weeks. He said Comcast engineers would be on a conference panel next week to discuss best practices and road maps for switching on encryption with other email providers as well.

“We are supportive of, and want to drive adoption of, encryption,” Mr. Douglas said.

Microsoft, which announced earlier this year that it planned to switch on encryption by the end of the year, still has some work to do. Roughly only half the traffic between Google and Microsoft services like Hotmail stays encrypted.

Google’s data will no doubt be used by privacy activists to shame companies that do not support encryption. And indeed, on Tuesday afternoon, Mr. Soghoian had already tweeted a link to Google’s report. “They name,” he wrote. “We shame.”

Google加密電郵 NSA也沒轍

Google公司正在測試名為「端對端」（End-to-End）的超級安全電郵加密技術，該服務把用戶的電子郵件用亂碼加密，只有收信端的信任對象能看到清楚的原文。駭客將沒有機會侵入，即使美國的國安局（NSA）也會束手無策。事實上，前NSA雇員史諾登去年揭發美國監控文件之前，就是以類似的加密方式和新聞記者聯繫。

這項端對端服務尚未推出。Google說，正在公開測試這項系統，通過測試後用戶便可下載、安裝該應用程式，透過個人使用的Chrome瀏覽器，便能和所有的網路電郵服務配合運作。

負責安全與隱私的Google產品經理索摩吉說：「我們希望端對端加密技術的普及能讓用戶在必要時，可以更快速、更容易地獲得額外的安全保障。」

Google超級加密技術的運作方式如下：假設你要傳送敏感訊息給友人，為了避免遞送信件者打開來看，朋友買了掛鎖並把鎖打開寄給你，保留鑰匙，而你把信件放進盒子，再以朋友寄來的掛鎖把它鎖上後寄出。於是，只有收信人能以他保管的私人鑰匙打開鎖收信。

Google讓用戶可以分享掛鎖，但鑰匙不能分享。目前為止，端對端加密仍無法破解。

去年美國政府被揭露未經允許監視私人郵件和電話後，科技公司便致力加強安全措施。除Google外，微軟、雅虎也都在研發資訊加密技術。

原文參照：
http://bits.blogs.nytimes.com/2014/06/03/google-offers-new-encryption-tool/

2014-06-05．經濟日報．A8．國際企業．編譯陳澄和