At last: Comprehensive browser-based PGP encryption for e-mails and files

It was about seventeen months ago that mailbox.org started out, offering a fully-encrypted e-mail inbox to its customers. The success of our service so far has shown that PGP can work well for everyday users and  everyday use cases. It has also proven the feasibility of an underlying principle, where a provider can successfully operate their e-mail service without having or needing access to any of the emails stored in user inboxes. Right from the beginning, it was clear to us that providing plain PGP encryption for e-mails can only be a first step. What was still lacking at the time was an easy-to-use mechanism that can be integrated into web-based mail clients to provide secure access to e-mail from anywhere. There have been some developments, like the well-known PGP plug-in Mailvelope for Mozilla Firefox, which also works with mailbox.org. However, solutions like this one appear to offer only limited encryption, may have problems with some basic e-mail functionality (like the handling of mail attachments in a cloud-based file storage setting), and are not really straightforward to use. We believe that simple PGP plug-ins present half-baked solutions, as they are not fully integrated in a Webmail client, and often rely on non-standard ways to decrypt e-mails (e.g., via cut & paste operations). mailbox.org now has a solution at hand which demonstrates that encrypted communication can actually work in the web browser: Securely, conveniently, and for everybody.   Are PCs and mobile phones secure? Security experts have repeatedly doubted the cryptographic capabilities of browser plug-ins like Mailvelope, which rely on JavaScript. Moreover, mobile devices that use systems based on Android or iOS are not considered secure environments in which one would want to keep a private PGP key. Given these realities, how could it ever be possible to access encrypted e-mail on the go, using untrusted internet terminals or mobile devices? The situation described above has been a huge motivating factor for our own effort to develop comprehensive PGP support for Webmail over the past 1,5 years. Encryption, decryption, electronic signatures, and the management of public keys all represent essentials for using PGP securely and transparently in everyday communication. It certainly took considerable brainpower to deliver the conceptual framework, plus a lot of patience and persuasion to sort out the technical details – yet a few weeks ago, we were able to start our countdown for launch:We hereby proudly present the “mailbox.org Guard”, available for all mailbox.org users as of today, 2 July 2015. Together with Open-Xchange, the manufacturer of our Office software suite, we have developed the first (as we know) comprehensive PGP implementation for Webmail, offering secure access to PGP-encrypted e-mail from everywhere, around the clock. By the way, the solution also allows encrypting all personal files on the mailbox.org Drive using PGP. Our aim is to ensure that only the rightful data owner can actually access that data. Server-side PGP Key Management – Good, or good for nothing? In our design of mailbox.org Guard, we made a deliberate decision to follow an implementation concept that requires the security-sensitive private part of the PGP key to be stored directly on our servers. There are different perspectives on this issue, as can be seen in our 2014 Stiftfilm videoclip on the topic. On the one hand, it can be looked at as a great security gain because the private key is no longer stored on devices that are potentially vulnerable to at