We looked at securing your email yesterday using PGP but what if you use a web-based email provider such as Google, Yahoo!, or Windows Live? The PGP method is great for securing your email client but won’t help you much when you’re using webmail. So how can we encrypt and digitally sign our webmail for free? By using GWEBS MailCloak, that’s how.

Why would you want to do this? You never know who may be eavesdropping and reading your email. Many webmail providers also store and index every email message their systems create, send, receive, pass along, etc. This is a problem because this index can be searched by users as well as Internet Service Providers. I’m not going to list all of the reasons why this is a bad idea but let’s put it this way: why give the webmail providers this kind of power, often without any accountability to its users, when you can secure your email easily and for free?

MailCloak is a great solution for people who use laptops to check their Gmail or Yahoo! mail on the go. It gets even better if you use Firefox. With Firefox you can install the GWEBS MailCloak plugin in about 5 seconds and set up your keypair in another 5 seconds. Before you try this, make sure your webmail provider is supported first by checking out the list of supported mail systems.

Let’s give it a try.

Step One: Download GWEBS MailCloak

Download the GWEBS MailCloak for Firefox plugin from their website by clicking the Download button. After you’ve clicked Download you’ll be presented with a “Thanks for installing MailCloak” page that will describe installation instructions. Follow these instructions and you’ll have to restart Firefox.

Step Two: Configure

When Firefox restarts you should see a new plugin residing in your status bar. It should look like this:

You should be presented with a popup titled “MailCloak – Add Identity – Generate Keypair” automatically when Firefox restarts. Follow the instructions to set up your keypair.

Once you’ve successfully created your keypair you need to login to your webmail account. When you login to your account you should receive a popup from MailCloak asking you if you would like to bind your email address to MailCloak. You’ll have to bind your email address in order to exchange secure email.

Step Three: Test

MailCloak should be ready to encrypt and sign your webmails now. Let’s test it by sending ourselves an email which will allow us to test whether or not MailCloak is encrypting, signing, decrypting, and verifying the signature all at once.

Compose a new message with some dummy text and send it yourself. You should see a popup that says it’s encrypting the email body. After that has completed you should see a new message in your inbox with some additional subject material such as “BEGIN PGP MESSAGE Version …”. Open this email, you should be prompted for your MailCloak password and after supplying your password you should see another popup that states the email body is being decrypted.

There you have it. Quick and easy email encryption for free.

Observations

Your friends and co-workers will also need to install and use MailCloak in order for this to work by exchanging keys. I don’t know how MailCloak handles an email when someone doesn’t have the MailCloak plugin. PGP will revert back to plaintext in a situation where it is unable to find the appropriate keys for a member.

MailCloak will not help you if you check your webmail on public computers unless the plugin is or can be installed on the system (most likely not).

You can easily turn MailCloak on and off by left-clicking the “gWebs MailCloak” text in your status bar. Other options are also available by right-clicking this same text. I would recommend setting the Advanced options under the Advanced tab to your preferences.

Conclusion

Encrypting your free webmail for free is easily accomplished using MailCloak. Free email and free encryption? That’s a bargain if you ask me.

Left-clicking on the “gWebs MailCloak” text will turn the plugin on and off. If you right-click you’ll be presented with a menu of options.