Uncle Zzzen <[email protected]> writes: > The reason why FireGPG no longer ships with tails is that the DOM of a web > app is not a safe place for plaintext > https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/ > Any architecture where plaintext is stored inside a web app's DOM is > dangerous. Especially a webmail app that can be expected to save drafts, > but not only. Web apps can be MITMed, XSSed, etc. If it came via the web, > it's a suspect.
> I'd expect a crypto add-on to only accept plaintext (and other sensitive) > information via separate GUI that can only be launched manually (not via > javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to > discourage phishing). The only communication between this add-on and the > rest of the browser should be via the clipboard. Users who can't handle > copy/paste shouldn't be trusted with a key pair :) A prominent new entry in OpenPGP encrypted webmail is Google's "end-to-end" [1,2]. Does it avoid this issue? How? [1] https://code.google.com/p/end-to-end/ [2] http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html -- -- StealthMonger Long, random latency is part of the price of Internet anonymity. Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
