I just joined this list and wanted to share my view on a post from Karel: > Because Thomas (the original developer of Mailvelope) wanted to let > the extension work as it was, with the unsecure encryption inside DOM,
This was not my position. I commented on this topic as follows: > But of course best is to have the choice. Therefore I would like to see two > different modes in Mailvelope: > the current one (as default) that is integrated in webmail with all the risk > and all the comfort. > And a second one that offers strong isolation but maybe less usability. The > mode is then configurable in the settings. see: https://github.com/toberndo/mailvelope/issues/14 I agree that the security limitations of Mailvelope have not been communicated properly from the start. It's a young project, I didn't see all implications from the beginning and there has been also no security audit yet. Meanwhile I put a section in the documentation that describe the limitations to my best knowledge: http://www.mailvelope.com/help#security Mailvelope has a strong focus on usability. It wants to lower the barriers of entry to email encryption for people with previously no experience in this field. The question I want to ask with this project is: let's assume there is a correlation between the usability of a security solution and the number of people who are willing to use it. There should be a big target group who either use a convenient solution or stay away from e.g. email encryption at all. A copy&paste solution from Karel (and optional with Mailvelope in the future) could be already above the pain barrier of this group. Now given this target group and the two alternatives: either no encryption or Mailvelope (with its limitations). Does the whole situation regarding mass surveillance of email traffic improve, zero effect, gets worse? I am thankful for all insights about this question. Thomas > -------- Original Message -------- > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > Date: Mon, 17 Dec 2012 11:27:26 +0100 > From: Karel Bílek <[email protected]> > Reply-To: liberationtech <[email protected]> > To: Eugen Leitl <[email protected]>, [email protected] > CC: Cypherpunks list <[email protected]> > > Because Thomas (the original developer of Mailvelope) wanted to let > the extension work as it was, with the unsecure encryption inside DOM, > I decided to fork his project and make a new one, which both encrypts > and decrypts in a secure chrome pop-up. > > It's here, it's called ChromeGP. > https://cryptoparty.cz/ChromeGP/ > > Available on chrome web store here > https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf > > and on github here > https://github.com/runn1ng/ChromeGP > > There are two big issues with it - first is missing signing/signature > control (which should be easy to implement, but we will see) and the > second is OpenPGP's trouble with zip compression inside PGP (which, > unfortunately, causes the default Thunderbird/Enigmail encryption fail > to decrypt, I think). > > Feel free to share and/or criticize :) > > K -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
