Google’s plan here is to make encryption easy enough to use to become widespread among mainstream users. Right now, unless you are fairly technical and can get extensions like Mailvelope to work for you, using Gmail — or any other popular email service — with encryption enabled is pretty hard. Because of this, very few people actually encrypt their messages today.
While Google announced this project today, however, it isn’t actually launching the plug-in yet. Instead, it is sharing the source code with the community to test and evaluate it. Given the recent issues around the Heartbleed bug in the OpenSLL library, that’s probably the right approach. “Prematurely making End-To-End available could have very serious real world ramifications,” Google rightly says.
The plug-in is covered by Google’s Vulnerability Reward Program, so developers and security researchers who find issues with it can get prizes for finding bugs.
Google says that the new plug-in will let “anyone” enable end-to-end email encryption “through their existing web-based email provider.” Chances are then, this plug-in will work with more than just Gmail and cover other popular services as well. Given that the recipients have to somehow decrypt your encrypted email, it wouldn’t make sense to just offer this for Gmail anyway.
What exactly the new plug-in looks like and how it will make encryption easier in daily use still remains to be seen, however (we’ll have to compile and test it ourselves first). The kind of public key encryption that Google is using tends to be pretty complex to set up, so Google has quite a challenge ahead of it if it wants to make this a system that even non-technical users can understand.
Besides this new extension, Google also today released its first email encryption transparency report, which looks at how many email providers encrypt messages while they are in transit between the sender and recipient. Currently, Google says, about 65 percent of messages from Gmail to other providers are encrypted, compared to only 50 percent of inbound messages from other services to Gmail. You can find the full report, which also names exactly which providers offer this kind of encryption, here.