from Hacker News

An Update to End-To-End

by aarkay on 12/16/14, 8:13 PM with 38 comments

  • by mrsteveman1 on 12/16/14, 10:09 PM

    Given that they've already decided to include support in Chrome itself for accessing USB hardware security tokens for U2F, I see no reason why they couldn't do the same with End to End + OpenPGPCards like the Yubikey NEO, which happens to also be a U2F device.

    It would provide a solution to some of the issues they document on their own Wiki regarding secret keys being stolen by an attacker through another Chrome extension, another application on the system, etc.

    EDIT: YES! I missed this part[1] in the Wiki earlier:

    "Additionally, we plan to add remote private key support in the future. When support for that is ready, high-risk users could protect their secret keys (stored, e.g., in a hardware USB device) from compromise even when an adversary introduces a backdoor in the source code."

    [1] https://github.com/google/end-to-end/wiki/Threat-model#backd...

  • by jMyles on 12/16/14, 9:13 PM

    I mean, this seems just straight amazing, right? Am I missing something?

    Obviously Google is pivoting on a number of fronts; if this enjoys wide adoption (unlikely as that may seem at the moment), they'll have to basically retreat from email content analytics, right?

  • by jmnicolas on 12/17/14, 1:25 PM

    > We’re migrating End-To-End to GitHub

    A bit off-topic but it seems to me that Github is fast becoming a "too big to fail" actor.

  • by driverdan on 12/16/14, 10:32 PM

    Can anyone who has been using End to End provide some feedback and additional info about it? The docs (and blog posts) don't really say much other than it encrypts text.

  • by Fastidious on 12/17/14, 9:07 PM

    How could a regular user start using this (unless it is not ready at all for the "fearless ones")?

  • by sft on 12/16/14, 10:10 PM

    I wish they would stop calling it End-to-End, it's misleading, they don't talk about DNS at all. One weak link in the chain means the entire chain is weak.

  • by higherpurpose on 12/16/14, 9:48 PM

    I hope they don't work too hard to making it compatible with PGP (and probably shouldn't at all). Just through Gmail and Yahoo alone adopting it, the end-to-end encrypted e-mail user base could increase by 100x. So it makes little sense to make it backwards compatible, especially if that creates potential security issues.