Developers at Google have released an experimental tool—for Gmail and other Web-based services—that's designed to streamline the highly cumbersome task of sending and receiving strongly encrypted e-mail.

On Tuesday, the company unveiled highly unstable "alpha" code that in theory allows people to use the Google Chrome browser to generate encryption keys, encrypt e-mails sent to others, and decrypt received e-mails. Dubbed End-to-End, the Chrome extension also allows Chrome users to digitally sign and verify digital signatures of e-mails sent through Gmail and other services. The code implements a fully compliant version of the OpenPGP standard, which is widely regarded as providing virtually uncrackable encryption when carried out correctly.

As Ars documented last year , the problem with just about every e-mail encryption software available today is they require much more time and effort than sending plain-text mail. Microsoft's Outlook application, for instance, frequently crashes when working with the open-source GnuPG encryption suite. Some Outlook users, including this reporter, also experience problems when receiving encrypted e-mail from Mac users, since the encrypted messages are included in an attachment, rather in the body. End-to-End is intended to ease such burdens.

"While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use," Stephan Somogyi, a Google product manager for security and privacy, wrote in a blog post published Tuesday. "To help make this kind of encryption a bit easier, we're releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools."

The blog post and the accompany code release were quick to point out that End-to-End is not yet ready for general use. That's because it's extremely hard to create reliable encryption ciphers and it's even harder to securely implement them in software. Security experts are rightly extremely cautious of new algorithms and implementations until they have been vigorously tested by a large number of users over an extended period of time. Google has expanded the scope of its bug bounty programs to offer cash rewards for reports of exploitable security bugs in End-to-End.

"The End-to-End team takes its responsibility to provide solid crypto very seriously, and we don't want at-risk groups that may not be technically sophisticated—journalists, human-rights workers, et al.—to rely on End-to-End until we feel it's ready," a note included with the code release stated. "Prematurely making End-to-End available could have very serious real world ramifications."

At the moment, there's good reason to suspect End-to-End may have extremely serious flaws that could completely compromise an end user's security. Private keys are stored in memory unencrypted and are controlled with code based on JavaScript, a programming language that has suffered its share of vulnerabilities in the past. JavaScript crypto is also subject to so-called side-channel attacks, which ferret out private keys by measuring power consumption, electromagnetic emanations, timing differences, or other indirect channels of a crypto engine. Some of the risk may be minimized by a design in End-to-End that wraps in-memory private keys inside the Chrome security sandbox, but until that protection has been thoroughly tested, it shouldn't be relied on to prevent other apps from being able to pluck out and compromise these crown jewels. Even still, Tuesday's alpha release has already sparked interest among cryptographers and privacy advocates. End-to-End holds great promise.

Separately on Tuesday, Google issued a transparency report that estimated as much as 50 percent of e-mails sent between Gmail and other e-mail providers aren’t encrypted by the transport layer security (TLS) protocol as they travel over the Internet. Google servers have supported such SMTP-TLS encryption for years, but the offering is meaningful only if both services provide it.

According to American Civil Liberties Union technologist Chris Soghoian, ISP Comcast is weeks away from deploying server-to-server e-mail encryption on its network.