Google has taken several steps this week to improve the security of its Gmail application and Chrome web browser. Gmail is set to support Content Security Policy (CSP) and has also published preliminary code for end-to-end email encryption.
Content Security Policy (CSP) is an idea that has been around since at least 2010, when Mozilla implemented the technology in its Firefox 4 web browser. The basic idea behind CSP is to limit the risk of Cross Site Scripting (XSS) security flaws. CSP provides policies for a browser about what scripts from sites can run.
In a blog post, Danesh Irani, software engineer for Gmail security at Google, noted that there are many great extensions for Gmail.
“Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or malware which compromises your email’s security,” Irani wrote. “Gmail’s CSP protects you, by stopping these extensions from loading unsafe code.”
Google is also advancing its vision for end-to-end email encryption. The promise of end-to-end is a fully encrypted email mechanism that is interoperable with other online webmail services. At Black Hat USA 2014, Yahoo CISO announced that Yahoo would also be building a full email encryption service for its Yahoo mail users.
The Google effort is known at the ‘End to End’ project and it is now at its alpha development stage with the code now being migrated to Github.
“End-To-End is a Chrome extension that helps you encrypt, decrypt, digital sign, and verify signed messages within the browser using OpenPGP,” the End-to-End project page on Github states.
While End-to-End now has alpha code available, it is not yet considered to be ready for public consumption. Stephan Somogyi, Product Manager, Security and Privacy at Google wrote in a blog post that Google doesn’t yet feel that End-to-End is as usable as it needs to be.
“Indeed, those looking through the source code will see references to our key server, and it should come as no surprise that we’re working on one,” Somogyi wrote. “Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won’t release End-To-End in non-alpha form until we have a solution we’re content with.”
Looking beyond just Gmail, Google is now also considering a strategy that would see it label non-SSL/HTTPS sites as being insecure.
“We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure,” a Chromium proposal states. “We intend to devise and begin deploying a transition plan for Chrome in 2015.”
Sean Michael Kerner is a senior editor at Datamation and InternetNews.com. Follow him on Twitter @TechJournalist
Photo courtesy of Shutterstock.