Google has released a new version of End-to-End, an open source encryption extension for Chrome introduced by the company earlier this year.
End-to-End, which leverages a new JavaScript-based crypto library, implements the OpenPGP standard, IETF RFC 4880. The tool allows users to generate encrypt, decrypt, sign and verify messages in the Web browser. Software that can do all these tasks already exists, but Google believes it’s too difficult to use for less tech savvy people.
The latest release contains more documentation for both developers and security researchers. It also includes contributions from Yahoo Chief Security Officer Alex Stamos. Stamos and his team have been collaborating with Google on the project since August.
Several bugs were uncovered in the first alpha release, but Google proudly reported that only few of them affected the new crypto library. Two of the vulnerabilities found in End-to-End qualified for the company’s bug bounty program and those who reported them earned financial rewards.
The extension is still in alpha and it’s not available in the Chrome Web Store because the search engine giant believes it’s not ready for general use. The company says it will release a fully fledged version of the tool next year.
“We don’t feel it’s as usable as it needs to be. Indeed, those looking through the source code will see references to our key server, and it should come as no surprise that we’re working on one. Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won’t release End-To-End in non-alpha form until we have a solution we’re content with,” Stephan Somogyi, security and privacy product manager at Google, explained in a blog post.
The source code for End-to-End has been published on GitHub to allow the community to review it and make suggestions for improving it.
Google has been highly active when it comes to protecting its users. In March, the search giant started encrypting all Gmail messages to protect customers’ communications. Last week, the company revealed plans to alert Chrome users whenever they are visiting insecure HTTP websites.
