Wednesday, April 1, 2020

S/MIME signed messages support in Gmail

From RFC5751 

"There are two formats for signed messages defined for S/MIME:

  • application/pkcs7-mime with SignedData
  • multipart/signed.

In general, the multipart/signed form is preferred for sending, and receiving agents MUST be able to handle both."

As per 1st of April, 2020 the situation with S/MIME signed messages support for free Gmail accounts is as following:


  • Gmail to Gmail: NOK  (since 2013)
  • Gmail to External Mail: NOK (since 2013)
  • External Mail to Gmail: OK 

application/pkcs7-mime with SignedData

  • Gmail to Gmail: NOK (since 2017)
  • Gmail to External Mail: OK
  • External Mail to Gmail: OK 

NOK means Gmail service mangles a message in transit by:
  • repacking MIME entities and changing boundaries
  • changing the content type of the message to multipart/mixed
  • restricting access to S/MIME signature for multipart/signed messages

The history of the above points:

Friday, March 6, 2020

Technical details about Chrome extension


During the installation on Windows 10 Chrome extension artifacts are copied into the folder for default Chrome account:
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Default

Note that if Windows user has several Chrome accounts, each Chrome account has its own set of installed extensions with root located at
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Profile<N>

Source files 

Source files of Chrome extension are stored in the sub-folder named after the id and the version of the extension:
...\Extensions\<Extension ID>\<Extension Version>\

Local Storage

Local storage of Chrome extensions is stored at the: 
...\Local Extension Settings\<Extension ID>\

Note that: 

  • local storage is isolated from common Chrome storages: Local, Session or IndexedDB
  • local storage can be accessed only from the corresponding Chrome account using Developer Tools
  • local storage has levelDb format 

State Management

Navigate to chrome://extensions to manage extensions for the currently logged Chrome user.

User can:

  • Enable / Disable extension
  • Update / Refresh
  • Remove
  • Navigate to Background page (Developer mode) 
  • Review Errors log (Developer mode)

Using Developer mode one can install extensions from not only Chrome Web Store but from a local drive as well using 'Load unpacked'.


Fossa Guard extension consists of 3 main components linked via messaging

  • Content script operates on Gmail page in the dedicated iframe, communicates with Gmail via DOM messages, observing DOM events, communicates with Background Script via Chrome messages.
  • Settings page provides user UI to manage certificates and keys
  • Background script is responsible for cryptography, uses with extension storages and communicates external services via http(s) calls.

Monday, February 24, 2020

Reply and Forward in S/MIME format

From V0.1.17 Fossa Guard Pro enables Reply All, Reply and Forward for plain-text messages via the dedicated bar on top of each email.

When clicked, it opens FossaGuard compose dialog with the content of the selected email and the options to encrypt and to sign the replied (forwarded) message.

You should click on the email to view content to be able to access the bar and reply (or forward) the specific email from the thread.

Auto-indexing option

Starting from V0.1.17 Fossa Guard Pro supports the option to auto-index S/MIME emails during reading meaning that the search index is auto-updated.

Emails that are left unread can be indexed manually by clicking `Refresh` link it actualize the index from last update time up to the current time.
Note that the search index is limited by extension local storage size quota around 5Mb

Friday, January 31, 2020

2019 year summary

2019 was quite intriguing and motivating. Fossa solution has got strong interest from tier 1 international companies. End-to-end encryption for Gmail is becoming a vital necessity while US head offices insisting regional offices to migrate to Gmail. Technical experts quickly realized that hosted S/MIME solution provided by G Suite from Google doesn't guarantee email privacy having a 10x bigger operational cost comparing with the Fossa solution.

Gmail 2018 UI

At the beginning of 2019 Fossa Team has accomplished Gmail 2018 new UI support introducing preview pane support.

Google Security requirements 2019

We have spent a remarkable amount of time to pass through a new Gooogle security requirements verification from May 2019 till October 2019 which included:

Gmail Web mobile 

Basic Gmail web mobile support has been implemented following one of the requests from our customers giving the same user experience on the Android devices:

Non-Chrome browsers

Yandex, Firefox, Opera browsers support has come as an alternative to Chrome browser is quite important for some of our potential clients.

Multiple emails 

Multiple email support in Subject Alternative Name extension is also the request "from the field" when companies practice long and short email addresses for the same employee.

Search in encrypted emails

The final and most wanted ability has become a full-text multi-language search inside S/MIME encrypted messages based on the manual generation and refreshing of the local search index.

2020 is promising to become rich in new features and capabilities.
Stay tuned.

Wednesday, January 8, 2020

Search inside S/MIME messages

Since V0.1.16 Fossa Guard Pro extension supports multi-language search inside S/MIME encrypted messages using a locally built full-text index which contains words statistics and does not contain the content of the messages.
You can download the index to ensure this fact - it has Elasticlunr format and stores statistics on email's subject, body and attachments` names.
Firstly, the user should decide what languages he would like to use for searching to use specific stemming and stopwords filtering from the following list:

  • English (default)
  • German
  • French
  • Spanish
  • Italian
  • Dutch
  • Danish
  • Portuguese
  • Finnish
  • Romanian
  • Hungarian
  • Russian
  • Norwegian
  • Swedish
  • Turkish

where English is the default language.
Please keep in mind that each additional language support slows down a bit indexing and searching.

Click `Build Search Index` to start the indexing all emails in all folders labeled by S/MIME label. Fossa Guard Pro tries automatically label all new incoming S/MIME emails basing on email's content type but anyway please make sure you have all emails planned for searching labeled.
User can be requested to confirm languages selection in case he has chosen more than 2 additional languages:

Once the confirmation received the index build will be started indicating the number of emails processed out of total S/MIME emails discovered.

Note that during the process User will be requested to enter the passphrase for the private key access to decoded S/MIME encrypted message. The passphrase will be cached for 10 minutes to make the indexing process convenient for the User

Once the index will be built it keeps the time of the last update to incrementally refresh the index in the future.

Index metadata contains also the language selection, the number of emails indexed and approximate size of the index. For the moment the index is stored in the local storage of the extension which is limited by 5 megabytes.
The User can

  • `Download` the index in JSON format (lately ability to import the index will appear which can be helpful for some special cases 
  • `Refresh` the index when all new emails since the time of last update will be checked on S/MIME content type and will be added to the index.
  • `Remove` the index 

To search indexed emails the User should use standard Gmail search bar with the `smime:` prefix:

The drop-down list should display a scrollable list of all matched emails so that the User points it and open in one click.

That's all about search in S/MIME emails implemented in Fossa Guard Pro version.
Happy New Year!

Monday, December 23, 2019

Multiple email addresses support in Subject Alternative Name

Fossa Guard web extension supports multiple email addresses since v0.4.18 (free) / v0.1.15 (pro) associated with a security certificate via Subject Alternative Name field which is an extension to X.509.