Fossa Guard

Fossa Guard is the expansion for the Google Chrome browser supporting a format of the message of S/MIME (Secure/Multipurpose Internet Mail Extensions), integrated into Gmail.

On November 11, 2016 the Fossa Team company announced availability of service by the ciphered and signed information - fossa.me and expansions for the Google Chrome browser - Fossa Guard as components of one of options of implementation of technology of exchange ciphered by email messages.

The fossa.me service provides (for November 11, 2016 partially) a public key infrastructure (PKI - Public Key Infrastructure) for release and management of S/MIME certificates. The register of everything, earlier issued certificates, the facilitating search of the certificate of the specific user of fossa.me service acts on the party of service.

Fossa Guard is expansion of the Google Chrome browser, it helps:

• generate couple of keys,
• request, to safely receive and use S/MIME the certificate for e-mails,
• store and synchronize a private key between the user's computers,
• import and use third-party (not Fossa) certificates.

It is enough to user to install the extension and, having undergone the procedure of obtaining the certificate, to begin to use S/MIME messages directly from Gmail service, without any additional registration (existence of the account of a Google service is required.

Technical details of PKI implementation

Implementation of PKI on fossa.me is supported by two certification centers: Root F1 and Authority F2. Root F1 uses a RSA key 4096 bits long, Authority F2 uses a RSA key 2048 bits long. Fossa.me consists of two independent services: EST and CA.

The first implements the Enrollment over Secure Transport (EST) protocol described in RFC 7030 and executes acceptance and processing of a request for the signature of the certificate - Certificate Signing Request (CSR).

Successfully authorized inquiries are sent to CA service which basic function generation and the signature of S/MIME certificate of the user. The CA service, on receipt of CSR, checks compliance of email of the required certificate with email of Google account which the user will become authorized on Fossa.me service.

If everything is all right, SA service generates S/MIME certificate of the user and signs it with the Authority F2 key.

Authority F2 also publishes the Certificate revocation list - Certificate Revocation List (CRL), helping the user to withdraw the compromised certificate on the server.

Scheme of interaction between Fossa Guard and fossa.me, (2016) service

Technical details of Fossa Guard

Fossa Guard – is able to work with messages in the S/MIME format and supports the following types: multipart/signed, application/pkcs7-mime with signed-data and enveloped-data.

The procedure of a request of the certificate begins with generation of pair from asymmetric keys and creation of CSR'a (Certificate Signing Request). There is a choice between RSA keys 2048 or 4096 bits long.

CSR goes under the HTTPS protocol to processing to Authority F2 certification center on the Fossa.me server.

The private key is stored in the password-protected container PKCS#12 in storage of the Google Chrome browser of the user account for automatic synchronization between all devices of the user.

After obtaining the certificate, opening the Google Mail page it will be possible to create and read letters in S/MIME format. For creation of the letter Fossa Guard adds the S/MIME button to the right of the Compose button (to Write).

Screenshot of a window of the browser, (2016)

For example, S/MIME letter with the signature (application/pkcs7-mime with signed-data) looks as the letter with smime.p7m investment. For viewing it is necessary to use the link View content in a letter body.

Fossa Guard uses the dialog for creation and viewing letters that helps to avoid hit of the unprotected contents of the letter in Google Mail which actively practices autosave.

Dialog supports by default a HTML-format. There is a support of investments no more than 100 KB in size (restriction of the current version of expansion). For increase in security it is recommended to close a browser tab after completion of work with Google Mail - it initiates the procedure of removal of investments from memory of the browser.

In the Fossa Guard settings it is possible to look at parts of the issued certificate, to manage 2 lists of certificates: entrusted and user.

Expansion allows to import the third-party entrusted and final certificates in the DER and PEM formats.

For the signed letters there is a possibility of viewing certificates and their import to lists of the entrusted and user certificates.

According to the statement of developers, the functionality of service is limited, though provides basic opportunities on the organization of the protected correspondence using S/MIME technology.