Google 前天發表了 Chrome 裡面的 PGP 實做套件:「Making end-to-end encryption easier to use」。
目前只放出了 source code,並沒有在 Chrome Web Store 上架,這點在網站上就直接說明了,他們目前認為目前沒有被足夠的人檢查過,所以請不要傳到 Chrome Web Store 上:
Since this is source, I could just build this and submit it to the Chrome Web Store
Please don’t do this.
The End-To-End team takes its responsibility to provide solid crypto very seriously, and we don’t want at-risk groups that may not be technically sophisticated — journalists, human-rights workers, et al — to rely on End-To-End until we feel it’s ready. Prematurely making End-To-End available could have very serious real world ramifications.
One of the reasons we are doing this source code release is precisely so that the community as a whole can help us make sure that we haven’t overlooked anything in our implementation of End-To-End.
Once we feel that End-To-End is ready, we will release it via the Chrome Web Store ourselves.
而為了鼓勵大家去找問題,雖然這是很新的軟體,但已經將 End-to-End 直接納入 Vulnerability Reward Program 裡:
And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.
不過傳統的方法還是會更可靠一些,畢竟 JavaScript 沒辦法很仔細控制記憶體內容,在放掉的記憶體空間內可能會包含某些未加密的資訊,甚至是 private key 的資訊。