Skip to Content

How to Exchange Encrypted Messages on Any Website

A new tool brings simple encrypted messaging to any webmail or social networking site.
November 5, 2014

After last year’s revelations about U.S. Internet surveillance raised interest in privacy tools, Google and Yahoo both announced they were working on software to let people who use their e-mail services easily exchange encrypted messages.

Now a prototype browser extension called ShadowCrypt, made by researchers at the University of California, Berkeley, and the University of Maryland, goes even further. It makes it easy to send and receive encrypted text on Twitter, Facebook, or any other website.

Using ShadowCrypt, a person who writes or is authorized to read a tweet or e-mail sees normal text. The site operator or anyone else looking at or intercepting the posting would see a garbled string of letters and numbers.

ShadowCrypt was created to show that strong encryption could be made both simple to use and compatible with popular services such as Twitter, says Devdatta Akhawe, a security engineer at Dropbox who helped develop ShadowCrypt as a grad student at Berkeley. “We wanted to show how you could make a practical, fast mechanism that is easy to use,” he says. Akhawe and colleagues tested ShadowCrypt on 17 different major Web services; it worked more or less flawlessly on 14, including Facebook, Twitter, and Gmail.

PGP, software first released in 1991, is probably the best-known software for encrypted messaging, but it is notoriously difficult to master. In general, existing tools for encrypted messaging tend to either require switching to a new service, such as Silent Circle (see “An App Keeps Spies Away from Your Phone”), or are very clunky.

To use ShadowCrypt you install the extension and then create encryption keys for each website you wish to use it with. A small padlock icon at the corner of every text box is the only indication that ShadowCrypt is hiding the garbled encrypted version that will be submitted when you hit the “send” or “post” button.

Other people can read that text if you provide them with the encryption key used to create it to add to their own ShadowCrypt settings. After they have done that, any text they view that has been encrypted with that key appears normal to them.

For example, the tweet below is perfectly readable to anyone that has installed ShadowCrypt, because it was encrypted using the extension’s default key for Twitter.com. Multiple keys can be made for any one site and it is easy to choose from them. You might use a different one for each person you wish to e-mail securely, for example.

ShadowCrypt is still a research project, but independent cryptography researcher Justin Troutman says its design demonstrates a useful new approach to online security.

That’s because it offers a way for people to take control of the security of the data they put into a Web service, he says. More often, most attention is paid to protecting data only as it travels to and from service providers’ servers. “It’s a step toward building a more benign surface for interacting with Web apps,” says Troutman.

A paper on ShadowCrypt, the code for which is open-source, will be presented at the ACM Conference on Computer and Communications Security this week.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.