Photo for FAQ page

Penango FAQ

  1. What is Penango?
  2. What browsers does Penango support?
  3. Where does Penango work?
  4. How do I send encrypted e-mail using Penango?
  5. What is the .p7s attachment on my e-mails? Is that my certificate?
  6. How secure is Penango?
  7. Is Penango’s technology (S/MIME) compatible with other e-mail clients?
  8. What is LDAP?
  9. Why does Penango use LDAP?
  10. What is the importance of Automatic LDAP-Based Certificate Directory Lookup?
  11. Does the Penango software collect personal information?
  12. How is Penango priced?
  13. Why does the Penango infobar display "someone at <[e-mail address]> sent this message" rather than my name or the sender's name?
  14. I am currently using Gmail S/MIME; how does it differ from Penango?
  15. Will Penango support PGP/GPG?
  16. Will you support [insert cryptography method here]?
  17. Will you support [insert webmail platform here]?
  18. Will you support cloud-signing services?
  19. I love Penango! But, it’s not available in my language. Can I help?
  20. I love Penango! Can I change your source code?

What is Penango?

Penango is an add-on to your web browser that adds authentication and encryption to your Gmail, Zimbra, or Google Apps webmail, so that you can sign, encrypt, and decrypt your e-mail using the same webmail you've been using. It is a suite of client-side cryptology and message processing components that provides you with true end-to-end encryption: your encrypted e-mail messages stay encrypted during transit and at rest on the server. In addition, with Penango, there are no encryption gateways and no extra passwords to remember. Back to top.

What browsers does Penango support?

Currently, Penango works on Mozilla Firefox versions 3-21 and 24-26, Microsoft Internet Explorer versions 6-9, and Maxthon 2. If you would like to request Penango for your favorite web browser, please let us know here. Back to top.

Where does Penango work?

Penango is a web browser extension, not a plugin or an applet. A plugin runs whenever the webpage you visit decides to invoke it. An applet is worse, since the code is downloaded from the web server that might be trying to attack you.

In contrast, Penango only runs on authenticated webpages. This behavior protects Penango and your secret data from attackers. In other products, an attacker can set up a fake webmail site and cause those products to decrypt arbitrary data or send arbitrary signed messages without your consent (or with uninformed consent).

For this reason, Penango only starts up on websites that have been pre-authenticated. We strongly recommend that webmail installations use HTTPS (SSL/TLS), because this layer of transport security protects against man-in-the-middle attacks. Back to top.

How do I send encrypted e-mail using Penango?

In order to send encrypted e-mail, (1) you will need a certificate and a private key (if you don't have these, you can follow Back to top.

What is the .p7s attachment on my e-mails? Is that my certificate?

The .p7s attachment is part of the overall message structure, which is a multipart/signed MIME message with the second part being application/pkcs7-signature. The attachment is known as a "detached signature." The signature blob includes the cryptographic signature and your certificate(s). With it, a user can verify the message signature with respect to your certificate without your needing to communicate the certificate separately. Back to top.

How secure is Penango?

At Penango, our definition of "secure" is end-to-end encryption. With Penango, your encrypted messages stay encrypted in transit and at rest on servers; only you (the sender) and your intended recipients can decrypt them.

Neither Penango, Inc., nor anybody else can read your data — not even your service provider. Penango does not use proprietary protocols or algorithms for authentication and encryption. We use the S/MIME standard, which already works with every major software-based e-mail client out there. Penango meets or exceeds security standards such as FIPS 140-2, HIPAA, and Massachusetts 201CMR17. Back to top.

Is Penango’s technology (S/MIME) compatible with other e-mail clients?

Yes. When you send and receive e-mail with Penango, your e-mail will automatically interoperate with the major e-mail clients such as Mozilla Thunderbird, Microsoft Outlook, Microsoft Outlook Express, Windows Live Mail, Apple Mail, Novell Evolution, and others.

S/MIME is the IETF standard for end-to-end authenticated and encrypted e-mail. It is standardized in RFCs 2630-2634. Back to top.

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It is a widely-used way of looking up information, and is usually used to look up information in a directory or contact list. LDAP is also used to add and edit information in a directory or contact list. Back to top.

Why does Penango use LDAP?

To find and retrieve recipients’ certificates, Penango uses a patent-pending LDAP-based certificate lookup method, called Automatic LDAP-Based Certificate Directory Lookup. This function quickly finds and validates the certificates of your e-mail messages’ recipients as you compose an e-mail message, so that you can encrypt the message to them and make the message decryptable only by them. (In order to send encrypted e-mail, you and all the recipients of the e-mail must have valid certificates.) The recipients need not be Penango users; all that is required is that the recipients’ certificates be located on an LDAP server or Active Directory. Back to top.

What is the importance of Automatic LDAP-Based Certificate Directory Lookup?

Penango’s Automatic LDAP-Based Certificate Directory Lookup facilitates secure e-mail communication among users within a single enterprise and across different organizations. Users who wish to send an encrypted e-mail no longer need to first request and receive signed e-mail messages from all their intended recipients in order to obtain the certificates necessary to send an encrypted e-mail message. Back to top.

Does the Penango software collect personal information?

We protect your personal information by not collecting it in the first place. In general, Penango may store personal information in-memory, but does not submit that information to Penango, Inc. and does not save it to disk (but your operating system might as part of its normal operation). Penango also encrypts passwords in memory using operating system features when available. Additional practices are disclosed in the Penango EULA, which is available in distributions of Penango. See our privacy policy for collection practices on this site. Back to top.

How is Penango priced?

Penango for Firefox is free for users of free Gmail and free Google Apps. Penango for Firefox or Internet Explorer for users of paid Gmail, Zimbra, and paid versions of Google Apps starts at $21.95 per year per mailbox.

Penango costs just a fraction of the price of your base webmail platform, far less than other encryption solutions like “encryption gateways” that are harder to set up and give you less security. One license lets you use the Penango Webmail Client functionality with one mailbox on every web browser and operating system that we support. You can have an unlimited number of e-mail addresses associated with the mailbox.

Since Penango enhances privacy as well as security, in contrast to to most webmail services, we do not force end users to pay for the product by giving up their privacy.

In addition, we recognize that Gmail users are some of our most zealous supporters. Therefore, we are letting users use Penango free of charge on free and public versions of Gmail with Mozilla Firefox on Windows, Mac, and Linux. If you get Penango for Firefox and go to your Gmail account, it will start working immediately. Back to top.

Why does the Penango infobar display "someone at <[e-mail address]> sent this message" rather than my name or the sender's name?

The Penango infobar displays information that can be verified. Many certification authorities verify only the e-mail address of a user. In order to display only information that can be verified, Penango does not display the name unless:

  • The certificate was issued at a high level of assurance; implying that the name of the user, and not simply the e-mail address of the user, was verified prior to issuing the certificate; or
  • the certificate was issued to a well-known individual, that is, an individual whom we (employees at Penango, Inc.) can directly verify.

I am currently using Gmail S/MIME; how does it differ from Penango?

Penango is actually formerly known as Gmail S/MIME. Many improvements have been made since then and if you loved Gmail S/MIME, then you will definitely love Penango. Back to top.

Will Penango support PGP/GPG?

Sometimes we receive requests for this technology stack. Support for PGP/GPG is on our roadmap. You can always send us a note of encouragement if it’s an important requirement for you or your organization. Back to top.

Will you support [insert cryptography method here]?

Penango authenticates and encrypts stuff in webpages to provide a hassle-free, end-to-end, in-webmail experience. Although we like S/MIME, we are not exclusive to it. If you have some cryptography thingamajig and would like to partner with us, please fill out our partnership contact form. Back to top.

Will you support [insert webmail platform here]?

We would like to! As always, you can send us a note of encouragement if it’s import for you or your company to use that webmail platform. Additionally, if you are a representative of that webmail platform, please fill out our partnership contact form so that we can start to work with you. Back to top.

Will you support cloud-signing services?

Penango, Inc. does not intend to run a hosted key service. We provide our security guarantees by not storing your data or keys on our servers in the first place. We don’t want your data or keys.

That said, if you trust somebody else (or somebody in your own organization) to host your keys, you can give them your keys while still preserving many of Penango’s end-to-end security guarantees. Even if a cloud-signing service provider has your keys, for example, your data still remains safely encrypted with your webmail provider. If you are a cloud-signing provider and want to enable your service with Penango, please fill out our partnership contact form. Back to top.

I love Penango! But, it’s not available in my language. Can I help?

Yes! We want to make Penango available to everyone worldwide, and we welcome translation contributions.

Penango operates in a unique localization environment because it bridges your local web browser and operating system with webpage content. Most of Penango can be localized with a trusty text editor and knowledge of your target language. We use .properties files to store the bulk of our translations. The Penango Infobar uses the Penango Authentication Grammar (PAG) to dynamically render cryptographic proofs into plain-language statements. Translating the PAG is a little bit more work, but Penango staff can help you out with the task.

Information about translating Penango will be available in the future on this site. Until then, contact us so we can get you set up with a Contributor Agreement and the tools you need to get Penango running. Back to top.

I love Penango! Can I change your source code?

“User JS” is a feature that we are considering in a future Penango release. With “user JS,” you will be able to change how Penango behaves in your own webmail environment. Contact us and ask to be added to our release list to hear about the latest announcements. Back to top.