The plugin is available for Firefox and Chrome. Working locally within the client's browser, it uses the public key of the final recipient to encrypt data sent in a web form. This ensures that the information is not accessible to anyone in between. For example, the plugin can be used to submit highly personal medical information to a doctor through an online service.
The improvements to Mailvelope include:
- the content of web forms can be transferred to the final recipient without even the website owner being able to access the data;
- the OpenPGP.js cryptography library (maintained by ProtonMail and supported by the Horizon 2020 programme) has been extended to meet the latest OpenPGP standard;
- a local GnuPG installation can be linked, so the user can use native applications for activities such as key management; and
- the Web Key Directory (WKD) protocol can be used to obtain the public key of the recipient.
In addition, the BSI commissioned a security audit of the Mailvelope software, including the OpenPGP.js and GPGME libraries. The issues found were resolved with the developers before being released under Coordinated Vulnerability Management.
The development of these improvements to Mailvelope was part of a framework contract that started in January 2018. Through public tender the BSI contracted the German open source companies Intevation GmbH and Mailvelope GmbH. Five other small companies involved in open source software development and secure mail, based in Luxembourg, Germany and Switzerland, were involved as subcontractors.