A Simple Chrome Extension Encrypts Facebook, Twitter, and Gmail Messages

By Kate Knibbs on at

If you want to make sure you're sending a secure message, there's a whole slew of privacy-minded services that include encryption these days. But sometimes you just want to send something on Facebook without feeling like you're a prime candidate for digital eavesdropping. That's where ShadowCrypt comes in.

Researchers at UC Berkeley and the University of Maryland created the browser extension, which lets people exchange encrypted messages from most popular social web apps, including Gmail, Facebook, Reddit, and Twitter.

ShadowCrypt is compatible with over 14 popular web services, and appears simple enough to use. You install it on Chrome, and then you can generate encryption keys for any of its compatible services. Then you share the encryption key with the person the message is intended for. This means they'll be able to see what you've sent, but everyone else (including the site operator) will see digital gibberish.

I tested it out on Twitter and it was easy enough to use, just toggle the extension on and type what you want. There's a default key that anyone using ShadowEncrypt has access to, so you have to get a new one if you want yours to be properly locked-down (I just used the default here because I didn't actually have anything top-secret to tweet).

This is what my tweet looked like to the outside world:

But if you had access to the key, it just said "Hello there."

Here's a general demo of how ShadowCrypt works:

For now this is just a research project, but it's proving an important point: it's not that hard for any big service to provide encryption. Google and Apple are already making strides to encrypt data, but other services (like Twitter and Facebook) are lagging behind.

ShadowCrypt's methods didn't wrinkle out all of the usability problems that crop up when you integrate encryption into pre-existing programs. Some of the programs didn't work well with ShadowCrypt, like Google Spreadsheets. And even those that did work weren't perfect. For instance, if you tweet with it, you're limited to a paltry 45 characters since the encryption takes up the rest of the space. This is just a sticking-plaster solution that draws attention to how important it is for services like Twitter to come up with native encryption options. But it's a pretty nifty sticking-plaster. [TechnologyReview]