Just tried this out and it works great! Had to build it using the instructions on the wiki, but nothing too painful. It doesn't just integrate with gmail, but more with all textarea's around the web. When you are typing in a textarea and press the extension icon next to the hamburger menu it will pop open a menu containing the text that you were typing on the site, and are given the options to encrypt/sign a message. When done it replaces the contents of the textarea on the site with the signed/encrypted message.
It works quite nicely, and I like it. I would like to see some kind of keybase integration, though it's not hard to import my tracked users into the extension by exporting my gpg keyring and importing it again.
But as I'm typing, Gmail is saving my draft automatically to Google servers. Normally, at least. This means Google would have a copy of my email as it existed before I encrypted it.
In your testing, do you see any evidence that this extension prevents Gmail's automatic draft saving?
In the FAQ they mention "End-To-End doesn’t trust any website's DOM or context with unencrypted data. We have tried to ensure that the interaction between the extension and websites is minimal and does not reveal secrets to the website."
I'm curious about this too. Does that mean they somehow insert a textbox that the host page can't see? I didn't realize extensions could do that.
Edit: ah, this appears to be where it happens. They insert an iframe the extension owns, so the host page won't be able to see what's in it:
It would be nice if that got added to PwdHash[1] extension[2]. PwdHash chrome extension currently seems to just try to capture all keyboard events while the master password is entered in a site's password box. Also, it seems to me that it runs in the site's context.
But when displaying the cleartext of a previously sent email or received email... they must be able to decipher the encrypted text in order to display it to the viewer, no?
Not if you choose to first type your message in the textarea on the website, but this is optional. You can also click the extension icon, and begin typing your message in the extension window. That way it never touches the DOM of the target page, but it is slightly less convient.
Should be fixed now. The Google End-to-End library uses the 5-byte encoding scheme for signature subpacket lengths, which I hadn't seen used before and was buggy in KBPGP. Most signature subpackets are <192 bytes long and can be encoded with the 2-byte length encoding.
BTW, our library doesn't support the ECC extensions yet, so any encryptions/signatures generated with ECC keys will fail to decrypt/verify on keybase (and also on GPG v1.4).
It works quite nicely, and I like it. I would like to see some kind of keybase integration, though it's not hard to import my tracked users into the extension by exporting my gpg keyring and importing it again.
edit: It seems that the keybase website does not like messages created by this extension. https://github.com/keybase/keybase-issues/issues/752