The solution is based on the globally recognized “Pretty Good Privacy” (PGP) standard, which GMX is now making available to everyone (Image: GMX)
[Englische Übersetzung der Pressemitteilung vom 20. August 2015]
The solution is based on the globally recognized “Pretty Good Privacy” (PGP) standard, which GMX is now making available to everyone. The new e-mail security level works on all commonly used devices, is provided free to all customers of the mail service, and is compatible with all previous PGP applications.
Helping encryption achieve breakthrough
“With the aid of our solution, all users–even those with no prior technical knowledge–can encrypt their e-mails so that only the recipient can open the content. Whether via Internet browser or GMX smartphone app, anyone can now encrypt using professional technology which previously required some technical knowledge. We hope this will be the breakthrough for widespread encryption,” says Jan Oetjen, CEO of GMX.
The e-mail provider is using the open source software Mailvelope for the PGP encryption. This encryption can be used on all major devices. When using a browser, the plug-in is integrated into the familiar e-mail interface of GMX and encrypts the mail content and any attachments directly before sending. The GMX apps for Android or iOS smartphones and tablets automatically include the PGP plug-in so that users can encrypt and decrypt messages on all commonly used devices. Even attachments can easily be encrypted together with the message on all devices–something that previously required additional effort.
Assistant sets up PGP for users
The approach solves the three main problems which users previously faced when using end-to-end encryption and which prevented its spread: PGP set-up, key exchange, and assistance if the key is lost. GMX has introduced a set-up assistant which guides users through just a few steps until the first encrypted mail can be sent. After installing the browser plug-in, the private and public key required for PGP is automatically generated and clearly assigned to the user. E-mails to a particular recipient are encrypted with this person’s public key and can then only be decrypted by that person using a secret private key. By simply transferring keys between devices, users can also quickly load their private key on a smartphone so that in the case of loss it can be restored via one of the devices.
With its internal public key directory, GMX offers a solution for a previously unresolved PGP problem: how can the public keys of other users be securely accessed, and how can it be ensured that they are the right ones? All public keys generated by the browser plug-in are stored in a directory administered by GMX. With the aid of a signature, GMX ensures that the keys in this directory match the respective accounts in the directory. Only the user knows the corresponding private keys.
Own directory of public keys solves previous PGP problem
The provider is ensuring transparency by releasing the source code and commissioning external security experts to conduct audits. All security-relevant information–such as private keys and passwords–are beyond the control of GMX and can never be viewed by them. Users therefore retain full data sovereignty. First of all, this means that it is up to them which messages should or should not be encrypted. Despite the simplification, end-to-end encryption also means that users are responsible themselves for the security of their devices and private keys, as encryption is only safe if the device is also safe.
Providers ensuring transparency: source code released
PGP is also an important addition to the “E-Mail made in Germany” security standard launched by the mail system group comprising 1&1, freenet, GMX, Telekom, Strato and WEB.DE. E-mail account holders with a provider belonging to this group can not only protect the content of their messages but also the so-called metadata, such as the sender, addressee, subject, mailing time and, above all, the fact that the message is PGP-encrypted. All “E-Mail made in Germany” providers enable their users to utilize the standard PGP solutions and thus protect their mail content and metadata.