But as I'm typing, Gmail is saving my draft automatically to Google servers. Normally, at least. This means Google would have a copy of my email as it existed before I encrypted it.
In your testing, do you see any evidence that this extension prevents Gmail's automatic draft saving?
In the FAQ they mention "End-To-End doesn’t trust any website's DOM or context with unencrypted data. We have tried to ensure that the interaction between the extension and websites is minimal and does not reveal secrets to the website."
I'm curious about this too. Does that mean they somehow insert a textbox that the host page can't see? I didn't realize extensions could do that.
Edit: ah, this appears to be where it happens. They insert an iframe the extension owns, so the host page won't be able to see what's in it:
It would be nice if that got added to PwdHash[1] extension[2]. PwdHash chrome extension currently seems to just try to capture all keyboard events while the master password is entered in a site's password box. Also, it seems to me that it runs in the site's context.
But when displaying the cleartext of a previously sent email or received email... they must be able to decipher the encrypted text in order to display it to the viewer, no?
Not if you choose to first type your message in the textarea on the website, but this is optional. You can also click the extension icon, and begin typing your message in the extension window. That way it never touches the DOM of the target page, but it is slightly less convient.
In your testing, do you see any evidence that this extension prevents Gmail's automatic draft saving?