Rawpixel - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does Pretty Easy Privacy secure online communications?

The open source Pretty Easy Privacy project is a user interface that helps users secure communication channels. Expert Michael Cobb outlines how it works.

A new open source encryption tool called "Pretty Easy Privacy" or "pEp" is available for online communications. How does it work? Is it something that enterprises can use, and how does it compare to other similar encryption tools?

In response to concerns about mass surveillance, a number of open source projects have been created to help better secure online communications. The big problem with security, though, is making it easy to use. Robust security protocols and technologies exist, but they generally suffer from poor usability. For example, the average user does not want to understand key management in order to send an encrypted email. Also, people want to continue using their favorite apps and not have to get all their friends and colleagues to install a plugin or even another app in order to communicate securely.

Pretty Easy Privacy (pEp) is an open source project that hopes to make it simple for anyone to tell how secure their text communications channels are and how to make them more secure with little know-how or effort. It's not a standard but a user interface; a plugin for Microsoft's Outlook email client is already being piloted by a couple of large companies.

Upon installation, pEp automatically generates encryption keys for the user or imports them from a local PGP client. It will encrypt communications even if the recipient doesn't use pEp but has another PGP or S/MIME client installed. The plugin uses color-coded trust indicators for email contacts, denoting whether encrypted communication is possible with the selected contact. Interestingly, "yellow-level" -- which denotes that encryption is technically safe -- requires RSA keys of at least 2048-bits and is not dependent on a public certificate authority; this is due to the possibility of a CA being compromised either by hackers or a nation state. In fact, pEp is keen to avoid the vulnerabilities inherent in any form of centralized infrastructure like servers and directories, and uses peer-to-peer technology for anonymous transport. The top level of security -- color green -- requires both users to exchange pEp-generated safe words over the phone to verify that no one has executed a man-in-the-middle attack to spy on the conversation.

A successful crowdfunding campaign shows plenty of people think Pretty Easy Privacy is a good idea; the plan is to create plugins for email platforms that provide an API such as Gmail so users can still use their preferred programs, only more securely. Plugins aren't possible for mobile platforms like iOS and Android, so pEp is planning apps for these that pull in and centralize messages from other communications apps on the device such as WhatsApp, Facebook and Twitter.

Pretty Easy Privacy uses established open standards including GnuPG and NetPGP to provide peer-to-peer communication with end-to-end encryption and meta-data level of privacy. Before each release, a hired analyst will publish the results of a code review; since it's open source, anyone can review the code. While most pEp software will be free and released under GNU General Public License version 3, the team will also develop business products that will be sold on a commercial basis. PEp's goal is to make security simple, so for enterprises struggling to get employees to embrace the need for secure communications it may be worth investigating.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Get help finding the most secure video chat app for use in your enterprise.

When will organizations be mandated to provide access to encrypted info?

This was last published in April 2015

Dig Deeper on IPv6 security and network protocols security