End-to-end encrypted web forms

Germany's BSI responsible for further development of Mailvelope

Published on: 28/08/2019

The German Federal Office for Information Security (BSI) has invested in the further development of Mailvelope, an open source browser plugin for end-to-end encryption of webmail and web forms.

The plugin is available for Firefox and Chrome. Working locally within the client's browser, it uses the public key of the final recipient to encrypt data sent in a web form. This ensures that the information is not accessible to anyone in between. For example, the plugin can be used to submit highly personal medical information to a doctor through an online service.

The improvements to Mailvelope include:

  • the content of web forms can be transferred to the final recipient without even the website owner being able to access the data;
  • the OpenPGP.js cryptography library (maintained by ProtonMail and supported by the Horizon 2020 programme) has been extended to meet the latest OpenPGP standard;
  • a local GnuPG installation can be linked, so the user can use native applications for activities such as key management; and
  • the Web Key Directory (WKD) protocol can be used to obtain the public key of the recipient.

In addition, the BSI commissioned a security audit of the Mailvelope software, including the OpenPGP.js and GPGME libraries. The issues found were resolved with the developers before being released under Coordinated Vulnerability Management.

Local innovation

The development of these improvements to Mailvelope was part of a framework contract that started in January 2018. Through public tender the BSI contracted the German open source companies Intevation GmbH and Mailvelope GmbH. Five other small companies involved in open source software development and secure mail, based in Luxembourg, Germany and Switzerland, were involved as subcontractors.

The call for tender for this project explicitly asked for expertise in JavaScript and cryptography, and for experience with open source projects. To fix the vulnerabilities that were found in the security audit, the project — which originally was planned to run until January 2019 — was extended to last until June.