Mailvelope
   HOME

TheInfoList



OR:

Mailvelope is
free software Free software, libre software, libreware sometimes known as freedom-respecting software is computer software distributed open-source license, under terms that allow users to run the software for any purpose as well as to study, change, distribut ...
for
end-to-end encryption End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can ...
of
email Electronic mail (usually shortened to email; alternatively hyphenated e-mail) is a method of transmitting and receiving Digital media, digital messages using electronics, electronic devices over a computer network. It was conceived in the ...
traffic inside of a
web browser A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
(
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...
,
Chromium Chromium is a chemical element; it has Symbol (chemistry), symbol Cr and atomic number 24. It is the first element in Group 6 element, group 6. It is a steely-grey, Luster (mineralogy), lustrous, hard, and brittle transition metal. Chromium ...
or
Edge Edge or EDGE may refer to: Technology Computing * Edge computing, a network load-balancing system * Edge device, an entry point to a computer network * Adobe Edge, a graphical development application * Microsoft Edge, a web browser developed by ...
) that integrates itself into existing
webmail Webmail (or web-based email) is an email service that can be accessed using a standard web browser. It contrasts with email service accessible through a specialised email client software. Additionally, many internet service providers (ISP) prov ...
applications ("email websites"). It can be used to
encrypt In cryptography, encryption (more specifically, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the information, known as plai ...
and
sign A sign is an object, quality, event, or entity whose presence or occurrence indicates the probable presence or occurrence of something else. A natural sign bears a causal relation to its object—for instance, thunder is a sign of storm, or me ...
electronic messages, including attached files, without the use of a separate, native
email client An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email. A web application which provides message management, composition, and reception functio ...
(like Thunderbird) using the
OpenPGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partit ...
standard. The name is a
portmanteau In linguistics, a blend—also known as a blend word, lexical blend, or portmanteau—is a word formed by combining the meanings, and parts of the sounds, of two or more words together.
of the words "mail" and "envelope". It is published together with its
source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...
under the terms of version 3 of the
GNU Affero General Public License The GNU Affero General Public License (GNU AGPL) is a free, copyleft license published by the Free Software Foundation in November 2007, and based on the GNU GPL version 3 and the ''Affero General Public License'' (non-GNU). It is intended fo ...
(AGPL). The company Mailvelope GmbH runs the development using a public code repository on
GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...
. Development is sponsored by the
Open Technology Fund The Open Technology Fund (OTF) is an American nonprofit corporation that aims to support global Internet freedom technologies. Its mission is to "support open technologies and communities that increase free expression, circumvent censorship, an ...
and
Internews Internews Network, now Internews, is a 501(c)(3) organization incorporated in California, formed in 1982. It was founded by David M. Hoffman, Kim Spencer, and Evelyn Messinger. The president and CEO is Jeanne Bourgault. Internews Europe is a ...
. Similar alternatives had been Mymail-Crypt and WebPG.


Features

Mailvelope equips webmail applications with OpenPGP functionality. Support for several popular providers like
Gmail Gmail is the email service provided by Google. it had 1.5 billion active user (computing), users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also ...
,
Yahoo Yahoo (, styled yahoo''!'' in its logo) is an American web portal that provides the search engine Yahoo Search and related services including My Yahoo, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Sports, y!entertainment, yahoo!life, an ...
,
Outlook on the web Outlook on the web (formerly Outlook Web App and Outlook Web Access) is a personal information manager web app from Microsoft. It is a web-based version of Microsoft Outlook, and is included in Exchange Server and Exchange Online (a component o ...
and others are preconfigured. The webmail software Roundcube senses and supports Mailvelope as of version 1.2 from May 2016, as well as most (self-hosted) webmail clients. For Chromium/Chrome there's the possibility to install from an authenticated source using the integrated software extension manager "
Chrome Web Store Web Store is Google's online store for its Chrome web browser. As of 2024, Chrome Web Store hosts about 138,000 extensions and 33,000 themes. History Chrome Web Store was publicly unveiled in December 2010, and was opened on February 11, 20 ...
". In addition, Mailvelope is also available for Firefox and Microsoft Edge as an add-on. Mailvelope works according to the
OpenPGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partit ...
standard, a
public-key cryptosystem Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic a ...
first standardized in 1998 and is written in
JavaScript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...
. On preset or user-authorized web pages it overlays the page with its control elements, which are optically distinguished as being separate from the web application by a surrounding security-background. This background can be customized to detect impersonations. For encryption it relies on the functionality of the
program library In computing, a library is a collection of resources that can be leveraged during software development to implement a computer program. Commonly, a library consists of executable code such as compiled functions and classes, or a library can ...
OpenPGP.js, a free JavaScript Implementation of the OpenPGP standard. By running inside a separate inline frame, its code is executed separately from the web application and should prevent it from accessing clear text message contents. The integration of Mailvelope via an API, developed in collaboration with United Internet, allows deeper integration between the webmail service and Mailvelope components. Thus, the setup and generation of a key pair can be done directly in the webmailer using a wizard. Mailvelope manages all OpenPGP keys locally in the browser. Since version 3.0, a local GnuPG installation can be included in Mailvelope's key management, allowing users to use native applications if desired.


History and usage

Thomas Oberndörfer started developing Mailvelope in spring 2012 with the first public version 0.4.0.1 released on August 24. The
global surveillance disclosure During the 2010s, international media reports revealed new operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly relate to top secret documents leaked ...
raised questions about the security of private and business email communication. At the time, e-mail encryption with OpenPGP was considered too complicated to use. Moreover, the webmail services that were particularly popular with private individuals did not offer any end-to-end encryption functions. This led to various mentions of Mailvelope in the press as a possible solution to this problem. Mario Heiderich and Krzysztof Kotowicz of
Cure53 Cure53 is a German cybersecurity firm. The company was founded by Mario Heiderich, a security researcher. History After a report from Cure53 on the South Korean security app Smart Sheriff, that described the app's security holes as "catastrop ...
did a
security audit An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of i ...
on an
alpha version The software release life cycle is the process of developing, testing, and distributing a software product (e.g., an operating system). It typically consists of several stages, such as pre-alpha, alpha, beta, and release candidate, before the fi ...
from 2012/2013. Among other things, the separation from the web application and its data structures was improved based on its findings. In February 2014, the same group analysed the library OpenPGP.js which Mailvelope is based on. Version 0.8.0, released the following April, adopted the resulting fixes and added support for message signing. In May 2014, iSEC Partners published an analysis of the Firefox extension. Version 1.0.0 was published on August 18, 2015. In April 2015, De-Mail providers equipped their services with a default disabled option for end-to-end encryption based on Mailvelope, but it could only be used in combination with Mobile TAN or the German electronic identity card. The new version of the extension was released in May 2015. In August 2015, the email services of
Web.de United Internet AG is a global Internet services company headquartered in Montabaur, Rhineland-Palatinate, Germany. The company is structured in two business areas, ''Access'' and ''Applications,'' and has a total of 16 brands and numerous sub ...
and GMX introduced support for OpenPGP encryption and integrated Mailvelope into their webmail applications for that. According to the company's own information, this option to encrypt e-mails in this way was available to around 30 million users. A 2015 study examined the usability of Mailvelope as an example of a modern OpenPGP client and deemed it unsuitable for the masses. They recommended integrating assistant functionality, sending instructive invitation messages to new communication partners, and publishing basic explanatory texts. The Mailvelope-based OpenPGP system of United Internet integrates such functionality and its usability earned some positive mentions in the press, particularly the offered key synchronization feature. A usability analysis from 2016 found it to still be "worthy of improvement" ("verbesserungswürdig"), though, and mentioned "confusing wording" ("irritierende Formulierungen"), missing communication of the concept, bad password recommendations, missing negative dissociation of the more prominent modus that features only transport encryption, plus insufficient support for key authenticity checking (to thwart
man-in-the-middle attack In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...
s). Mailvelope was enhanced in 2018/19 as part of a BSI initiative. Overall, the "key management was simplified, and security of the software improved." All security vulnerabilities in the Mailvelope source code, as well as in the OpenPGP.js program library used, brought to light by a security audit conducted by SEC Consult were closed. According to the BSI, one goal of the project was also to enable website operators to offer contact forms in the future to securely encrypt messages from the user's browser to the recipient. The import of new keys would be HTTPS-encrypted using the WKD (Web Key Directory) protocol.


References


External links

* * {{GitHub, mailvelope/mailvelope Software add-ons Cryptographic software Free software programmed in JavaScript Free Firefox WebExtensions