The case with Hushmail is entirely different because Hushmail generates (stores, and backdoors) keys on the server. It's far harder to backdoor JavaScript compared to compiled Java Applets without notice.
I agree with what you're saying though. My intentions are to convert the finished Roundcube JS plugin to browser extensions. Roundcube is an installable IMAP application. It's not an "app" though, but the same code can be reused pretty easily. Someone mentioned that OpenPGP.js was complicated in this thread, providing implementations is a way to counter that :-) "The app is installed only once" <- nope. Bugs and updates will always exist and any security procedure that is based on something else is, in my opinion, broken by design. There are far better end-to-end encryption solutions that can be used instead of HTTPS to patch the fictional scenario where HTTPS gets hijacked. Tor, for example. :-) Nik On 8/15/12 7:54 AM, Tankred Hase wrote: > Well even though its open source, as a webmail client wouldnt it have the > same issues as hushmail? With an installable imap app signed by the > developer and published to an app store, you can defend against certain > attacks better. The app is installed only once, giving less chances to > intercept code than over https. Even if the app publisher was compromised > and was forced to add a backdoor to their app, they couldnt target > individuals and would have to go through the publicely available app. What > do you think? > > Tankred > Am 15.08.2012 10:13 schrieb "Niklas Femerstrand" <[email protected]>: > >> I'm currently working on implementing OpenPGP.js into the Roundcube >> webmail project. They've been missing OpenPGP and it's been a request for >> 7-ish years. It's almost finished and will of course be open source :-) >> >> Nik >> >> On 8/15/12 6:00 AM, Sean Colyer wrote: >> >> Ah, I see now. That actually makes a lot of sense. I think that is pretty >> close to what Carsten had envisioned with the original extension, basically >> a standalone app that plugged into gmail. However, if we could make it >> completely standalone using IMAP, that could provide a better solution for >> those not looking for direct gmail integration. >> >> I absolutely agree with PGP being too complicated to use, that's what >> basically brought me to this project. >> >> Sean >> >> On Sun, Aug 12, 2012 at 8:33 PM, Tankred Hase <[email protected]> >> <[email protected]> wrote: >> >> >> I wasnt trying to suggest that you or anyone do this work. Sorry if it >> came across like that. I was mearly trying to get your technical opinion on >> such an email app, since you had already done the gmail extention. >> >> One of the painpoints I see with PGP on the desktop is getting everything >> installed and configured is probably too much for the average user. What >> struck me when I saw imap client implemtation in js, is that one could take >> this and bundle it with openpgp.js into a simple to use preconfiged email >> app. >> >> The point with the seperate namespace is interesting though. Thanks. >> >> Tankred >> Am 13.08.2012 06:11 schrieb "Sean Colyer" <[email protected]> >> <[email protected]>: >> >> >> I hadn't seen that work, but it does look interesting. I'm not quite sure >> what work you were envisioning I, or the openpgp.js team, would help with >> this project. I think the most likely path would be to just make openpgp.js >> work with Firefox (when it's ready) and allow gaia to craft an >> implementation. >> >> For my intentions, the sandboxing is actually advantageous for security >> of the extension because it means that the private key is stored in the >> extension namespace rather than gmail's. >> >> I do not foresee myself extensively working on a direct implementation >> with gaia, but perhaps I could help them get a start if that would be >> helpful. >> >> Sean >> >> >> On Sat, Aug 11, 2012 at 7:48 PM, Tankred Hase <[email protected]> >> <[email protected]>wrote: >> >> >> Hey Sean, >> >> I was wondering if you've seen the work Mozilla is currently doing on >> its Firefox OS email client. They are building an IMAP client in js, which >> is being optimized for syncing with gmail and yahoo mail. >> https://github.com/mozilla-b2g/gaia-email-libs-and-more >> >> Also David Dahl confirmed window.crypto.getRandomValues() is now >> implemented in gecko and is to be in "FF 17, maybe sooner". >> >> I dont know if you have been following crypto.cat in the last few days. >> They are going extention only in cryptocat 2, offering apps for chrome and >> mozilla WebRT and disallowing direct webusage over https. >> >> I have taken a look at your Chrome extention for Gmail. A complete >> signed installable email app could perhaps deal with some of the issues >> regarding sandboxing, code delivery and storing the private key in the >> gmail domain. What do you think? >> >> Tankred >> >> _______________________________________________ >> http://openpgpjs.org >> >> >> _______________________________________________ >> http://openpgpjs.org >> >> _______________________________________________ >> http://openpgpjs.org >> >> >> >> _______________________________________________ >> http://openpgpjs.org >> >> >> >> _______________________________________________ >> >> http://openpgpjs.org >> >> > > > _______________________________________________ > > http://openpgpjs.org
_______________________________________________ http://openpgpjs.org
