Google's Chrome Gmail encryption extension hides NSA-jabbing Easter Egg

Google loves to hide jokes in its products and the company's upcoming end-to-end email encryption extension for Chrome is no exception.

Google is famous for its Easter Eggs, including web pages that do barrel rolls or blink or hide video games--but rarely do Google's bits of fun take a political tone. Showing just unhappy the company or at least its engineers are with the National Security Agency's surveillance activities Google included a jab at America's spooks in a new Chrome browser extension.

The code for Google's upcoming email encryption extension for Chrome called End-to-End includes the words, "--SSL-added-and-removed-here-;-)."

That line's a quote from an October 2013 report detailing the NSA's efforts to tap into the internal network links of major companies such as Google and Yahoo.

Known as the MUSCULAR program, the report in the Washington Post said the NSA in cooperation with Britain's GCHQ spy agency was collecting massive amounts of data pulled directly from Google and Yahoo servers located outside the U.S.

In a slide published by the Post the NSA created a quick overview sketch of how it obtains data from Google's servers. At the bottom the drawing, the NSA wrote "SSL added and removed here! :-)." The NSA was capitalizing on the fact that Google, at the time, was stripping encryption from data as it flowed from the public Internet into Google's internal network.

When two Google engineers first saw the drawing they "exploded in profanity," according to the Post.

Nearly eight months later, Google is taking its revenge or at least the company hopes it is.

Google's End-to-End extension promises to make it easier to use OpenPGP email encryption in the browser. Currently, the easiest option for email encryption is to use a mail client like Mozilla Thunderbird with the Enigmail add-on. A number of other non-Google tools aiming to make email encryption easier are also in development such as Mailvelope, Dark Mail, and Mailpile.

End-to-End is currently in an early Alpha phase. The extension is effectively open only to developers and power users, since you must first compile the code into a working extension before using it.

During the testing period Google is inviting comments from the public to make sure the extension is as secure as possible before going mainstream. That's a key point since the biggest problem with encryption tools typically isn't the type of encryption they use, but mistakes in how the encryption is implemented. A fact about software development that was made all too clear recently with the OpenSSL Heartbleed bug.

After the testing period, Google plans to make End-to-End available in the Chrome Web Store.

[via TechCrunch and @ZenAlbatross]

Join the CSO newsletter!

Error: Please check your email address.

Tags GmailGooglesecuritynsaWeb & communication softwareprivacy

More about AlphaGCHQGoogleMozillaNational Security AgencyNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts