Open-source project promises easy-to-use encryption for email, instant messaging and more

Pretty Easy Privacy system aims to make encryption of written online communication accessible to masses

A software development project launched Monday aims to create free tools that simplify the encryption of online forms of communication like email, instant messaging, SMS and more by solving the complexity associated with the exchange and management of encryption keys.

Called "Pretty Easy Privacy" (PEP), the project's goal is to integrate the technology with existing communication tools on different desktop and mobile platforms. The development team launched a preview PEP implementation Monday for the Microsoft Outlook email client, but plans to build similar products to encrypt communications in Android, iOS, Firefox OS, Thunderbird, Apple Mail, Jabber, IRC (Internet Relay Chat), WhatsApp, Facebook Messenger, Snapchat and Twitter.

The PEP developers launched a crowdfunding campaign on Indiegogo to raise funds that would allow them to set up a foundation to support the project and speed up the development of the various implementations for different platforms.

While most PEP software will be released under the GNU General Public License version 3 and will be free to use, the team will also develop business products that will be commercialized through a new Luxembourg-based company called PEP Security.

The PEP engine relies on existing open-source technologies like GnuPG, an implementation of the OpenPGP encryption standard; GNUnet, a framework for decentralized, peer-to-peer networking; and NetPGP, an OpenPGP implementation for platforms like iOS, where GnuPG is not supported. However, its primary goal is to provide "no hassle" privacy through a "zero-touch" user experience, according to its developers.

On installation PEP automatically generates encryption keys for the user or imports them from a local PGP client. It is also able to discover the keys for the user's communication partners if they uploaded them on public keyservers or already sent signed emails in the past. This means PEP will start encrypting communications straight away with some users and works even if the other side doesn't use PEP, but other PGP, S/MIME or CMS implementations.

"The PEP engine is doing exactly what a hacker does when he or she is using PGP: create a good keypair with reliable algorithms, handle it safely, manage public keys of other people, and operate the crypto solution in the best known way to keep it safe," said Volker Birk, a German software architect and one of the project's founders, in a blog post.

The PEP plug-in for Outlook uses color-coded trust indicators for email contacts. The default one is grey and signifies that encrypted communication is not yet possible with the selected contact. When the recipient's keys are known and already in the keystore, the trust indicator switches to yellow, which means encrypted communication is possible, but potentially vulnerable to man-in-the-middle attacks.

In order to achieve the highest level of protection, signaled by a green indicator, the two parties need to exchange PEP-generated "safe words" over the phone. Once this handshake is confirmed, the communication is protected against all known attacks, the PEP developers said on the project's Indiegogo page.

The technology does not rely on centralized infrastructure and uses peer-to-peer technology for anonymous transport. When both parties use it, it's not just the content of messages that get encrypted, but metadata like the subject line in the case of emails.

The current goal of the crowdfunding campaign is to raise $50,000, which will help with the development of the PEP implementation for Android. However, more funds will be needed to speed up support for different platforms, communication tools and encryption protocols.

Join the CSO newsletter!

Error: Please check your email address.

Tags PEP Securityonline safetysecurityencryptionindiegogoprivacy

More about AppleCMSFacebookMessengerMicrosoftPGP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place