September 1, 2006

Freenigma: Encryption for webmail

Author: Joe 'Zonker' Brockmeier

Until now, security-conscious email users could employ encryption with traditional email clients, but were out of luck with webmail services. Freenigma, a service to add encryption to third-party webmail services via a Firefox plugin, aims to add security to the convenience of webmail. My trial of the service indicates that it's making a good start, but has room to improve.

Freenigma provides encryption that works across multiple webmail platforms. It isn't the first system to encrypt webmail, but it is the first that I'm aware of that encrypts mail for third-party services such as Gmail. You can send encrypted mail through Gmail if you use its SMTP and POP features, but you can't encrypt and decrypt mail within the webmail client itself.

Other secure webmail providers, such as Hushmail, are primarily aimed at charging for services like storage and IMAP. They might provide basic service for free, but they're all about getting paid for the add-ons. Freenigma works with existing providers, so you don't have to give up the 2GB Gmail storage or your existing address.

So how does freenigma plan to make money? That's a bit nebulous, but according to the FAQ, the intent is to keep the service free for "private individuals" but make money off of services companies outsourcing mail to webmail providers.

Getting started with freenigma

To get freenigma set up, start by registering an account with a supported webmail service, such as Hotmail, Gmail, or Yahoo! Mail. On the freenigma homepage there's a box on the left side of the page to sign up for an invitation to the service. Fill that out, and you should receive a confirmation email within an hour or so. After you receive the invitation, you'll need to go to the freenigma site and provide the email address you want to use, the password you want, and agree to the terms of service.

The next step is to install a Firefox plugin. I tested the plugin with Firefox 2.0 beta 1, and had no problems with it. After restarting the browser, you'll need to log in to freenigma, and then you'll be able to encrypt and decrypt messages.

The plugin appears as a small icon in the bottom status bar in the Firefox window. Clicking the icon disables freenigma, and right-clicking it pops up a link to the freenigma sign-in page.

Freenigma is dead simple to use, which isn't something you can say about many encryption add-ons. You doesn't have to worry about managing keys. When you visit a supported webmail service, the freenigma encrypt/decrypt dialog is visible on the pages where you compose and read messages. To encrypt or decrypt a message, just click the button and type your password. That's it -- freenigma does the rest.

Messages are not sent to freenigma's server for encryption; instead, the browser plugin handles that task. According to freenigma's documentation, "the freenigma extension sends nothing more than the list of recipient addresses to the freenigma server" in order to generate a session key to encrypt the mail text, and encryption is done within the browser.

What's missing with freenigma

The service is still in beta, so there are a few areas where freenigma's not quite up to par with using GnuPG with a traditional mail client.

Freenigma encrypts only the message body -- not attachments. According to the freenigma site, that capability might be coming soon, but for now, freenigma's capabilities may not be sufficient if you want to email a confidential PDF or Word document, or if you're sending candid shots of your last party to your best friend. Of course, you can still encrypt attachments using GnuPG or PGP -- but that adds a level of complexity that most users are looking to avoid.

Many users want to use GnuPG just to sign messages, rather than encrypting them. The freenigma folks note that the functionality is already available to sign messages, but they have not yet enabled it in order to keep the service simple. With any luck, this will change shortly.

Right now, freenigma works with only a few webmail services, so it's of limited use if you want to encrypt emails to someone using an unsupported webmail service or a regular email client. I can encrypt messages with freenigma to my little brothers, who use Gmail and Yahoo! Mail, but not to co-workers or sources who aren't using a supported Web service. The freenigma FAQ says that the developers will add new services if they get enough requests for them.

I'm somewhat pleased to see a service that starts off by supporting Firefox first, and Internet Explorer (maybe) at a later date -- but on the other hand, that also leaves Opera, Safari, Konqueror, and a number of other browser users out in the cold. This can be mighty inconvenient for folks who use webmail to exchange personal email at work, but can't install Firefox on their work computers. Perhaps the freenigma folks could publish the specs needed to make the service work with other browsers.

Another problem with freenigma as it stands right now -- once I download my encrypted mail from Gmail into Sylpheed, it's essentially unreadable, since mail can only be decrypted in Firefox. Many users rely on webmail only when traveling, so it'd be good if users had a way to decrypt mail locally. Freenigma appears to use standard OpenPGP, but users don't have access to the keys -- that's handled through the browser plugin -- so you can't decrypt mail using GnuPG or PGP.

Finally, like any Web service, you're at the mercy of the provider. Freenigma seemed to be down a couple of times while I was doing this review, which meant I wasn't able to decrypt any mail or send encrypted mail while it was out. The site was up, but I got a "could not authenticate user" message, even though I was providing the correct username and password. In all fairness, the service was just made public, so it's entirely likely it's going through normal growing pains.

Despite the issues I've run into with freenigma, I think it's a great idea, and something that's sorely needed for webmail users. I'd recommend signing up for an account and testing it if you use one of the supported webmail services, but I wouldn't suggest using it for anything mission-critical just yet.


  • Security
Click Here!