Google's Chrome Gmail encryption extension hides NSA-jabbing Easter Egg
Google is famous for its Easter Eggs, including web pages that do barrel rolls or blink or hide video games—but rarely do Google's bits of fun take a political tone. Showing just unhappy the company or at least its engineers are with the National Security Agency's surveillance activities Google included a jab at America's spooks in a new Chrome browser extension.
The code for Google's upcoming email encryption extension for Chrome called End-to-End includes the words, "--SSL-added-and-removed-here-;-)."
That line's a quote from an October 2013 report detailing the NSA's efforts to tap into the internal network links of major companies such as Google and Yahoo.
Known as the MUSCULAR program, the report in the Washington Post said the NSA in cooperation with Britain's GCHQ spy agency was collecting massive amounts of data pulled directly from Google and Yahoo servers located outside the U.S.
In a slide published by the Post the NSA created a quick overview sketch of how it obtains data from Google's servers. At the bottom the drawing, the NSA wrote "SSL added and removed here! :-)." The NSA was capitalizing on the fact that Google, at the time, was stripping encryption from data as it flowed from the public Internet into Google's internal network.
When two Google engineers first saw the drawing they "exploded in profanity," according to the Post.
Nearly eight months later, Google is taking its revenge or at least the company hopes it is.
Google's End-to-End extension promises to make it easier to use OpenPGP email encryption in the browser. Currently, the easiest option for email encryption is to use a mail client like Mozilla Thunderbird with the Enigmail add-on. A number of other non-Google tools aiming to make email encryption easier are also in development such as Mailvelope, Dark Mail, and Mailpile.
End-to-End is currently in an early Alpha phase. The extension is effectively open only to developers and power users, since you must first compile the code into a working extension before using it.
During the testing period Google is inviting comments from the public to make sure the extension is as secure as possible before going mainstream. That's a key point since the biggest problem with encryption tools typically isn't the type of encryption they use, but mistakes in how the encryption is implemented. A fact about software development that was made all too clear recently with the OpenSSL Heartbleed bug.
After the testing period, Google plans to make End-to-End available in the Chrome Web Store.