Showing posts with label end-to-end. Show all posts
Showing posts with label end-to-end. Show all posts

Friday, November 27, 2020

Fossa Guard Pro 1.0.3 Hidden Subject support

Fossa Guard Pro V1.0.3 supports an option to hide the Subject and Recipient's name (leaving only email address) by wrapping the original message using content-type message/rfc822 and encrypting it.

New checkbox 'Hide Subject' is available once you select to Encrypt the message 


The subject is hidden under generic 'Confidential Email' and looks like an empty message with encrypted attachment 'smime.p7m'


In Outlook this message is represented by a message with an internal original message S/MIME encrypted and signed



Check the video demonstrating it.

Link to the extension: Fossa Guard Pro V1.0.3 



Posted by at No comments:
Labels: , , , , , , , ,

Thursday, July 2, 2020

Fossa Guard Pro 1.0 Personal Certificate enrollment options

Once Fossa Guard Pro 1.0 installed User has to enroll his Identity - Personal Certificate to start secured emailing. The enrollment procedure artifacts are stored into the local Chrome extension storage within userspace (see https://fossaguard.blogspot.com/2020/03/technical-details-about-chrome-extension.html for details) and consists of:
  • Private Key - you should keep privately and use to 
    • decrypt messages sent to you 
    • sign messages so that your recipients will be able to verify the signature using your Public Certificate 
  • Trusted Certificates - a chain of officially Trusted certificates that issued the Public Certificate from direct Issuer up to the Root Trusted Certificate so that anyone can verify the origin of your Public Certificate.
  • Public Certificate - the certificate your recipients should use to encrypt private messages sent to you, this certificate is also used when you're sending an encrypted message to yourself, thus it's present in Personal and in Recipient lists of certificates.
There are three main options to enroll the Personal Certificate once Fossa Guard is installed.



Import Private Key (p12, pfx)


The option valid when the User already has got a personal identity in the form of a file P12 or PFX format protected by a Passphrase (can be empty). Usually, it contains a Private Key accompanied by a corresponding Public Certificate. 
Once the user provides the correct passphrase to decrypt the imported file, Fossa Guard:

  • Checks if contained Public Certificate is valid and is issued to the email of logged User, if Yes - the Private Key assigned as the default User's identity 
  • Adds the corresponding certificate to Recipients list (so the user will be able to send encrypted emails to himself)
NOTE that there are few or no vendors providing free trusted S/MIME identities: http://kb.mozillazine.org/Getting_an_SMIME_certificate


Enroll Fossa Certificate


The user has an option to enroll a free Personal Certificate signed by Fossa Certificate Authority (CA). Fossa Guard extension and Fossa CA designed to make the enrollment simple and secure using Enrollment over Secure Transport (EST).
Once the user provides the name (the only mandatory parameter) he can start the procedure


The pair Private / Public Keys and Certificate Signing Request (CSR) are generated locally in the browser.

On the next step, the User should log in to Fossa Server (by clicking `Get Shared Secret from Fossa.me Server`) to get a shared secret which will be used to establish a TLS connection. Please note that you should log in to the Fossa Server using the same Gmail user to get the shared secret for the corresponding email address.


Using TLS connection Fossa Guard securely sends Certificate Request with Public Key inside and gets back Public Certificate signed by Fossa CA
On the final step, Fossa Guard asks the User to enter Passphrase to protect Private Key before storing it with Public Certificate in local Chrome extension storage.

That's all, Fossa Guard is ready for secure mailing via Gmail.


Enroll Self-signed Certificate


Self-signed Personal Certificate enrollment procedure has only the first and last steps from Fossa certificate enrollment.
On completion self-signed certificate is automatically added to the Personal, Trusted, and Recipient certificates list.

NOTE that self-signed certificates can't be verified checking Issuer certificates, so the user should find the trusted way to share it with his recipients.


Posted by at 4 comments:
Labels: , , , , , , , , , , , ,

Wednesday, July 1, 2020

Fossa Guard Pro 1.0 Settings overview

Fossa Guard settings page contains three corresponding lists:

  • Personal Certificates - list represents Private Keys for the User. There are three main options to add them:
    • Import Private Key (p12, pfx) - via P12 or PFX file protected by a Passphrase (can be empty)
    • Enroll Fossa Certificate - via enrollment procedure when the certificate is securely signed on Fossa Server
    • Enroll Self-signed Certificate - via fully local enrollment procedure
  • Trusted certificates - list of Certificate Authorities (CA) Certificates officially trusted by main vendors, usually openly published on vendor sites. Fossa Guard has preloaded trusted certificate for the following identity vendors:
    • Comodo
    • DigiCert
    • Fossa.me 
    • Global Sign
    • WISE Key
  • Recipients certificates contain public certificates of your recipients including your own.
Users can import additional Trusted and Recipient certificates via a file in PEM or DER formats.

NOTE that Self-signed certificates are recognized and proposed to be added into both lists Trusted and Recipients


By click on Certificate name User can view certificate details




Posted by at No comments:
Labels: , , , , , , , , , , , ,

Sunday, June 28, 2020

Fossa Guard Pro 1.0 S/MIME signed support

Send S/MIME signed message


  • application/pkcs7-mime with SignedData by restricting access to the signature (since G Suite uses this format to sign messages)
  • multipart/signed by rearranging MIME parts of the message converting to multipart/mixed

The following approach has been implemented to send S/MIME signed emails:

  • to *@gmail.com addresses multipart/mixed format used with smime.p7m attachment which contains original S/MIME multipart/signed message with signature due to the following reasons:
    • User will be able to see message content, files without any extension
    • User will be able to view content, files of the original message with the digital signature using of Fossa Guard
  • to all other addresses a standard S/MIME SignedData format due to the following reasons:
    • G Suite accounts use custom domains, 
    • G Suite uses SignedData format internally for S/MIME signed messages
    • Gmail doesn't mangle message to external addresses

Signature status indication

When User opens S/MIME signed message in Gmail UI Fossa Gard extension tries to verify the signature 
Once S/MIME signature verified the corresponding status is indicated. 
Fossa Guard replaces the content of the message by the original read from smime.p7m attachment. 


A new button `View Original  Message` becomes available to open the email in Fossa Guard View dialog with original message content and original attachments


Signature verification 



  • The attached certificate chain is not used in the email signature verification procedure until added to the list of trusted. 
  • Email signature verification is performed per email Sent date

Posted by at No comments:
Labels: , , , , , , , ,

Fossa Guard Pro 1.0 improvements


Roboto font

  • Roboto font has been introduced as a default font to be aligned with the overall Gmail appearance.

Compose / View dialogs

  • Fossa Guard Compose / View dialogs can be minimized by the click on the header not to block creating and viewing other S/MIME emails.



  • Minimized Compose / View dialogs are represented as bars at the bottom of the Gmail window and can be restored by the click on the subject or closed by the click on the cross icon.

Search Index



  • Search index size is presented in the form of a bar indicating the amount of available space.


Informational warnings for error cases


  • Informational alerts and warnings have been added for extension invalidation, user authentication, authorization, and synchronization errors.

See detailed article on the point: http://fossaguard.blogspot.com/2020/03/fossa-guard-authentication-and.html

Recipient certificate details and status

Recipients are presented by the pillows indicating the status of user certificate by the color and the corresponding icon, considering:

  • Green - there is at least one valid certificate for the email address
  • Red - there is at least one invalid certificate for the email address
  • Grey - there is no certificate for the email address



Click on the recipient's pillow opens `Recipient Details` popup with the information from the Contacts (photo, name, email) and list of certificates found in the local Chrome extension storage. There are in-place options to

  • Load certificate from the file
  • Load certificate from Fossa registry


Click on the certificate info opens `Certificate Details` popup displaying the internal information of the selected certificate.


    Posted by at 1 comment:
    Labels: , , , , , , , , ,

    Fossa Guard Pro 1.0 released

    27 of June 2020

    Glad to announce Fossa Guard Pro 1.0 commercial release is available at https://chrome.google.com/webstore/detail/fossaguardpro-encrypt-gma/opfepnmdnnmiiemnkhaneagicmlakdjh


    S/MIME end-to-end encryption Chrome extension for Gmail with
    • S/MIME formats supported (including attachments)
      • Sign
      • Encrypt
      • Sign-then-Encrypt
    • Constant pricing about $1.99 per month 
    • Interoperability tested with
      • Outlook
      • Thunderbird
    Release details should come in further articles on this blog.

    Future plans 

    • Triple wrapping: Sign-then-Encrypt-then-Sign considering 2 private keys
    • Firefox, Opera, Yandex browsers support  
    • Mobile Gmail web version support
    Posted by at No comments:
    Labels: , , , , , ,

    Saturday, August 10, 2019

    How to run Fossa Guard on Android

    The guideline describes how to run a free version of Fossa Guard extension V0.4.6+ on mobile Yandex browser on Android platform to enable end-to-end S/MIME encryption on top of Gmail on your mobile.

    On your Android mobile:
    1. Install and run the Yandex browser
    2. Navigate to Chrome web store and find Fossa Guard free extension
    3. Click 'Add to Chrome' and then 'Add Extension' to install the Fossa Guard extension. 
    5. Navigate to Fossa Guard extension via Yandex browser 'Extensions' menu. 
    6.   
    7. Switch to Portrait mode for convenience (work on responsive UI is ongoing).
    9. Click 'Login to Extension' to associate your Google account with Fossa Guard - a new tab should appear in Yandex browser with Google authentication. 
    10. Navigate to this tab using Yandex tabs menu. Authenticate to corresponding Google account (we use fossa.user@gmail.com)
    11.  
    12. Allow Fossa Guard to use requested permissions. On success, Google authentication will be auto-closed. 
    13. Navigate back to Fossa Guard tab to check the settings.
    14.  
    15. At this point you have 2 options: Import your backup personal Certificate and key OR Enroll free personal certificate from Fossa CA.
    16. Fossa certificate enrollment is based on the local key pair generation in your Yandex browser without sharing the private key. Certificate Signing Request (CSR) to sign certificate by Fossa CA is initiated using SSL connection over HTTP. Click 'Enroll Fossa Certificate' to initiate the flow. 
    17.  
    19. To establish a secured SSL connection over HTTP navigate to 'Fossa.me Server', log in using the same Google account and copy the one-time shared secret.
    20.   
    21. Paste shared secret at Fossa Guard extension and proceed with the enrollment. 
    22. Once signed certificate is received back from Fossa CA, the extension asks for the strong passphrase to protect your private key (which stays within your browser all the time). 
    23. Your private key will be saved into the local Yandex browser storage within your phone and will never be compromised outside it.
    24.  
    25. Once the enrollment is done you should get an invitation to start secured mailing with Gmail. 
    26.  
    27. Navigate to the mobile web version of Gmail
    28. Ensure that you logged into Gmail with the same Google account (we use fossa.user@gmail.com).  
    29.  
    30. You should notice the fancy green button at the right top with 'S/MIME' label. Click it to compose S/MIME email
    31.   
    32. Type 3 letters of your recipient address and you should get a list of corresponding contacts for selection. Fossa Guard automatically checks if the addressee has got Fossa certificate and indicates it by the green color of the email pill.
    33.  
    34. Once you finished with composing S/MIME message, click 'Send S/MIME' and it will be sent using Gmail API and should appear in Sent folder marked by the corresponding label 'S/MIME'
    36. Click on S/MIME labeled email to check the details and you'll discover 'smime.p7m' attachment which is unreadable for Google robots and the notification from the extension that this email was composed using S/MIME. 
    37. Click 'View Content' and you'll be requested for the passphrase to access your private key (locally within your current browser session).
    39. Once you provide the correct passphrase the extension will decrypt the message and show you in a dedicated window.
    41. If the email address of your Gmail account does not correspond to the email address of Google account associated with the extension you'll the notification to use the same account. This is the identity check Fossa Guard makes to secure access to the private key.


     


    Posted by at No comments:
    Labels: , , , , , , , ,
    Subscribe to: Posts (Atom)