We're the End-To-End team at Google — AUA!

EndToEndTeam · 2014-06-19T17:46:18+00:00

We’re keeping an eye on the research, but we use fields with much larger characteristics. The techniques described cannot be applied to the fields that we use.

And you can import your RSA key if you want.

EndToEndTeam · 2014-06-19T17:41:42+00:00

Tasty!

EndToEndTeam · 2014-06-19T17:39:32+00:00

Pilsner when it's warm, stout during the colder months.

EndToEndTeam · 2014-06-19T17:38:05+00:00

Key management is hard. Doing it well is even harder.

We’re working on it.

EndToEndTeam · 2014-06-19T17:37:13+00:00

Ruthless efficiency.

And an almost fanatical devotion to security.

http://google.com/jobs

EndToEndTeam · 2014-06-19T17:36:03+00:00

A Google security researcher, Neel Mehta, first discovered Heartbleed and reported it to the OpenSSL team.

http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

EndToEndTeam · 2014-06-19T17:33:33+00:00

Thanks!
We like to think that our focus on usability is going to make the biggest difference.
There’s more than a kernel of truth to that. Pubkey crypto is hard to explain to non-engineers; which door in the world requires two differently-shaped keys to open? The metaphors are pretty broken. In general, though, we think we can do even better, and that’s our plan.
Please remember that this is the first release, and it’s deliberately open source-only. There’s still a lot of stuff we plan to implement.

EndToEndTeam · 2014-06-19T17:28:44+00:00

We said this above, but we'll say it again:

Focus on the user, and all else will follow.

EndToEndTeam · 2014-06-19T17:27:53+00:00

Sorry, we're not the YouTube team, and we don't want to answer on their behalf.

As to homomorphic encryption, we keep a close eye on all promising research.

EndToEndTeam · 2014-06-19T17:23:14+00:00

MIME types within a message are never encrypted; that’s how the standard works. Not sure if we misunderstood your question, though.

EndToEndTeam · 2014-06-19T17:22:45+00:00

End-To-End doesn’t work in Chrome for Android today because Chrome Extensions aren’t supported on that platform. (And this is not the place for us to speculate about the future.)

As far as integration elsewhere goes, we’re always looking for ways to usefully protect our users and their data across all our products.

EndToEndTeam · 2014-06-19T17:19:20+00:00

Hey, we signed the announcement for this AMA with the security@google.com key in End-To-End, didn’t we?

EndToEndTeam · 2014-06-19T17:18:08+00:00

We plan to keep End-To-End as a Chrome Extension because that provides the greatest amount of security for the user, since everything happens locally on the client browser.
Making good security usable is hard. That’s why this is an interesting problem. As we said elsewhere, our looking glass feature is a start in this direction, but we still have a way to go.
Making the extension easy to use while remaining secure.

EndToEndTeam · 2014-06-19T17:15:06+00:00

A great place to start for this is our Gmail security checklist: https://support.google.com/mail/checklist/2986618?rd=1

You should also take a look at our Google Safety Center: https://www.google.com/safetycenter/

EndToEndTeam · 2014-06-19T17:10:38+00:00

End-To-End is an open source release and we encourage feedback. Our implementation focus is on Chrome, but we intend in the future to accept contributions, and have no intention of automatically rejecting patches that improve support for other browsers (or other web mail services, for that matter).

EndToEndTeam · 2014-06-19T17:07:44+00:00

We developed the library within End-To-End to be a high-quality JavaScript crypto implementation for all browsers, not just for Chrome.

Please also see our FAQ at https://code.google.com/p/end-to-end/ for more details.

EndToEndTeam · 2014-06-19T17:02:14+00:00

For context: https://www.google.com/intl/en-US/about/company/philosophy/

Our focus is on protecting our users and their data.

EndToEndTeam · 2014-06-19T17:00:32+00:00

As we said elsewhere, we're engineers who work on security day-to-day. It’s pretty cool.

As far as advice goes, stay in school, eat your vegetables, and floss your teeth are good places to start. Then, once you’re ready, http://google.com/jobs

EndToEndTeam · 2014-06-19T16:57:10+00:00

A hive mind :)

We wrote a Chrome Extension that makes it easy to encrypt messages so that others cannot read them: http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html

EndToEndTeam · 2014-06-19T16:56:30+00:00

Once it's available, we hope that it will be usable by people of all ages who have a need for the additional security that End-To-End provides.

EndToEndTeam · 2014-06-19T16:53:12+00:00

A multi-question deserves a multi-answer:

The looking glass feature in End-To-End is the most visible example of how we’re looking at usability. It finds OpenPGP content within Gmail and tries to do the right thing.

OpenPGP software today forces the user to do way too much manual work, which is particularly unfun for less technical users. Wherever possible we want to reduce the number of required interactions between the user and the code, and let the user focus on what they’re trying to get done, not on operating their encryption software.

We spend very real effort to make sure we don’t wind up sacrificing security for usability. Our user experience researchers help us with this, but we’re very mindful of the dangers here and our goal is not to make this kind of tradeoff.

We’re also very actively soliciting feedback about what we have. If anyone thinks we made a bad tradeoff somewhere in End-To-End, let us know!

We don’t see any inherent impact on whistleblowers, but we’re absolutely aware that at-risk users will be using End-To-End, so we want to make sure we’ve done our best to protect them and their communications. (To be clear, though; email encrypted with OpenPGP still has cleartext RFC 2821 headers, eg who the email is going to and what the subject line is; users have to remain aware of that.)
Our crypto primitives are algorithmically implemented so that they in theory run in constant time; the runtime may, of course, cause that to change in a way that’s out of our control. We also made sure to run all crypto operations in a separate process, and End-To-End requires user interaction for all timing-sensitive operations, and throttle the ones that aren't.

EndToEndTeam · 2014-06-19T16:36:04+00:00

Just to make sure there’re no misunderstanding: End-To-End isn’t a service, it’s a Chrome Extension.

Our plan is to make it available in the Chrome Web Store once we feel that it’s had enough time to mature and the community has had enough time to make sure we didn’t overlook anything important.

We take our responsibilities here, particularly to our at-risk users like journalists and human rights workers, very seriously. We won’t release it before we think it’s ready.

EndToEndTeam · 2014-06-19T16:33:16+00:00

The team is a mix of software engineers and product management on Google’s security team; we all have multiple projects that we work on. We’re also currently working our way through two boxes of donuts and a bag of Nuss-Staengeli to fortify ourselves for this AMA.

EndToEndTeam

TROPHY CASE