February 28, 2017 By Douglas Bonderud 2 min read

Email encryption is becoming a top enterprise priority. Politico noted that after an increased cybersecurity focus during the election, end-to-end (E2E) encryption is “booming” as government officials race to ensure they aren’t caught unprotected.

The problem is that while tools such as Pretty Good Privacy (PGP) offer solid security, they can be cumbersome to set up and difficult to use. Google recently backed a Chrome app, E2EMail, to streamline the encryption experience but, according to Threatpost, has now pushed the project to open source communities. What’s next for E2E efforts?

The Email Issue

Email remains a go-to threat vector for malicious actors. Despite the growing use of mobile devices and real-time collaborative tools, email is a corporate mainstay for both its usability and the ability to create paper trails in the event of an audit or legal challenge.

Common email scams run the gamut, from classic phishing hooks asking users to download files or visit compromised webpages to authentic-looking messages from actors impersonating C-suite executives that demand immediate employee action. But cybercriminals are never content with existing options.

As noted by CSO Online, the recent Yahoo breach prompted malicious actors to create a custom-built phishing campaign that claimed accounts had been locked for “failing automated security server update” and prompted users to “update” their accounts. It’s a clever ruse — leverage the fear of an existing breach to compromise corporate email accounts.

The Managed Message Mandate

PGP remains the de facto standard for encrypting emails from sender to receiver, though it’s worth noting that even PGP doesn’t obfuscate the subject line or the identities of the correspondents. As noted by ZDNet, an increased public focus on cybersecurity has prompted the development of alternatives such as ProtonMail, Wire and WhatsApp.

Google’s email encryption alternative was designed to provide a simple and streamlined experience by integrating OpenPGP into Gmail using a Chrome extension. While Google experts contributed to the project for more than a year, it was cut loose in late February as entirely open source.

So what’s the big deal? According to Google, the app “behaves as a sandbox where you can only read or write encrypted email” — in other words, any mail sent from the app is automatically signed and encrypted, Threatpost reported. It supports PGP and MIME text messages and, even when sent through Gmail, makes it impossible for any provider to crack message contents.

By linking the app with the Chrome browser, Google hoped to eliminate the complexity of most PGP deployments and make email security the default mode for corporate communications, rather than an outlier.

The Future of Email Encryption

Under open source development, meanwhile, the sky’s the limit. The search giant said E2EMail will be able to take advantage of in-development key transparency initiatives, which will hopefully replace the aging web-of-trust model. Still, expanded functionality and specific features rely on the interest and talent of open source developers.

In the best case scenario, E2EMail will be a jumping off point for better, faster and more streamlined email encryption. Worse case, it’s just another encryption tool in the growing market. Either way, it’s an improvement over the current model of managed email messaging.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today