Mailvelope

The name is a suitcase word from the words "Mail" (English for "Post") and "Envelope" (English for "envelope"). It is available with its source code under the terms of version 3 of the GNU Affero General Public License (AGPL). The manufacturer Mailvelope GmbH operates the development with a public code repository on GitHub . The development is funded by the Open Technology Fund .

Similar alternatives are Mymail-Crypt and WebPG.

features

Mailvelope equips webmail applications with OpenPGP functionality. It includes presets for webmail users from several popular providers such as Gmail . There is an authenticated installation option for Chromium / Chrome via the integrated software management "Chrome Web Store".

A study from 2015 examined the usability of Mailvelope as an example of a modern OpenPGP client and confirmed that it was not suitable for the masses. She advised integrating assistance functions, sending invitation messages with instructions to new interlocutors and publishing basic explanatory texts. United Internet's Mailvelope-based OpenPGP system integrates such functions and received praise from the press because of its user-friendliness, especially the key synchronization function. A user-friendliness study from 2016 found this to be “in need of improvement” and spoke of “irritating formulations”, a lack of communication of the concept, poor password recommendations, a lack of negative delimitation of the more intrusive, transport-encrypted mode, as well as insufficient support for the key authenticity check (against middleman attacks ).

distribution

In April 2015, De-Mail providers equipped their services with an option for end-to-end encryption based on Mailvelope, which is deactivated by default, but which can only be used in combination with Mobile TAN or electronic ID . In August 2015, the email services of GMX and Web.de introduced support for OpenPGP encryption and integrated an adapted version of Mailvelope into their webmail applications. According to the company, this option was open to around 30 million users. In contrast to the previously advertised, but not privacy-protecting encryption variant De-Mail, some of the same e-mail providers have been promising their customers since August 20, 2015 that they will be able to communicate with authenticated participants without expert knowledge and thereby end-to-end -End of encryption to implement.

functionality

The variant of the plug-in, which has been further developed in cooperation with United Internet , creates a key pair in the background with an assistant and manages all OpenPGP keys locally in the browser.

history

The manufacturer names the FireGPG project, which started in 2007 and has since been abandoned, as an important pioneer. Thomas Oberndörfer started the development in spring 2012 and on August 24th the first public version 0.4.0.1 appeared.

Mario Heiderich and Krzysztof Kotowicz from Cure53 subjected an alpha version to a security audit in 2012/2013 . Based on this, the separation of the webmail application and its data structures was improved. The underlying library OpenPGP.js was also examined by the same group in February 2014. Mailvelope version 0.8.0, released the following April, adopted the resulting corrections and added support for message signing. In May 2014, iSEC Partners published an investigation into the Firefox extension. Version 1.0.0 was released on August 18, 2015.

The webmail software Roundcube recognizes and supports Mailvelope from version 1.2 from May 2016.

Web links

Commons : Mailvelope  - collection of images, videos and audio files

• Web presence
• Source code on GitHub
• Video tutorial from the Open University

Individual evidence

1. ↑ Release 4.3.2 . May 22, 2020 (accessed May 23, 2020).
2. ↑ Lorenzo Franceschi-Bicchierai: Why the US Government Is Investing Millions in Internet Freedom Technologies. In: Motherboard. Vice Media LLC, September 29, 2015, accessed September 26, 2016 (American English).  
3. ↑ ^{a b} Akash Badshah, Anurag Kashyap, Kenny Lam, Vikas Velagapudi: SendSecure . Ed .: MIT Computer Science and Artificial Intelligence Laboratory [CSAIL]. 2014 (English, courses.csail.mit.edu [PDF]). 
4. ↑ ^{a b c d} Verena Schochlow, Stephan Neumann, Kristoffer Braun, Melanie Volkamer: Evaluation of the GMX / Mailvelope end-to-end encryption . In: Data protection and data security . tape 40 , no. 5 . Springer Fachmedien, Wiesbaden May 21, 2016, p. 295-299 , doi : 10.1007 / s11623-016-0599-5 . 
5. ↑ Mailvelope. In: Right to Hide. Hungarian Civil Liberties Union (HCLU), accessed September 26, 2016 .  
6. ^ ^{A b} Mario Heiderich, Krzysztof Kotowicz: Pentest-Report Mailvelope 12.2012-02.2013 . Ed .: Cure53. February 2013 (English, cure53.de [PDF]). 
7. ^ Scott Ruoti, Jeff Andersen, Daniel Zappala, Kent Seamons: Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client . October 28, 2015, arxiv : 1510.08555 (English). 
8. ↑ Patrick Beuth: GMX and Web.de: The fastest way to encrypted e-mail . In: The time . Hamburg August 24, 2015 ( zeit.de [accessed September 25, 2016]). 
9. ↑ ^{a b} GMX and Web.de integrate PGP into their mail services. In: c't. Retrieved December 28, 2015 .  
10. ^ De-Mail. End-to-end encryption started with PGP. In: heise Security. Retrieved September 25, 2016 .  
11. ↑ De-Mail integrates end-to-end encryption with PGP. In: heise online. Retrieved September 25, 2016 .  
12. ↑ Web.de and GMX introduce PGP encryption for mail. In: heise online. Retrieved September 25, 2016 .  
13. ↑ PGP encryption of De-Mails in the browser. In: c't. Retrieved December 28, 2015 .  
14. ↑ Thomas Oberndörfer: FAQ - Mailvelope. In: mailvelope.com. Retrieved September 25, 2016 .  
15. ↑ PGP support: New Roundcube webmailer released. In: Golem.de. Retrieved September 25, 2016 .