Some clarification on this topic from my side. Because Thomas (the original developer of Mailvelope) wanted to let > the extension work as it was, with the unsecure encryption inside DOM,
This is not my position. I commented on this topic as follows: But of course best is to have the choice. Therefore I would like to see two > different modes in Mailvelope: > the current one (as default) that is integrated in webmail with all the > risk and all the comfort. > And a second one that offers strong isolation but maybe less usability. > The mode is then configurable in the settings. see: https://github.com/toberndo/mailvelope/issues/14 I agree that the security limitations of Mailvelope have not been communicated properly from the start. It's a young project, I didn't see all implications from the beginning and there has been also no security audit yet. Meanwhile I put a section in the documentation that describe the limitations to my best knowledge: http://www.mailvelope.com/help#security Mailvelope has a strong focus on usability. It wants to lower the barriers of entry to email encryption for people with previously no experience in this field. The question I want to ask with this project is: let's assume there is a correlation between the usability of a security solution and the number of people who are willing to use it. There should be a big target group who either use a convenient solution or stay away from e.g. email encryption at all. A copy&paste solution from Karel (and optional with Mailvelope in the future) could be already above the pain barrier of this group. Now given this target group and the two alternatives: either no encryption or Mailvelope (with its limitations). Does the whole situation regarding mass surveillance of email traffic improve, zero effect, gets worse? I am thankful for all insights about this question. Thomas P.S. Could somebody please forward this mail to the liberationtech mailing list in the relevant thread? I just subscribed... On Mon, Dec 17, 2012 at 2:02 PM, Fabio Pietrosanti (naif) < [email protected]> wrote: > FYI > > -------- Original Message -------- > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for > Webmail > Date: Mon, 17 Dec 2012 11:27:26 +0100 > From: Karel Bílek <[email protected]> <[email protected]> > Reply-To: liberationtech > <[email protected]><[email protected]> > To: Eugen Leitl <[email protected]> <[email protected]>, > [email protected] > CC: Cypherpunks list <[email protected]><[email protected]> > > > > Because Thomas (the original developer of Mailvelope) wanted to let > the extension work as it was, with the unsecure encryption inside DOM, > I decided to fork his project and make a new one, which both encrypts > and decrypts in a secure chrome pop-up. > > It's here, it's called ChromeGP. > https://cryptoparty.cz/ChromeGP/ > > Available on chrome web store here > > https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf > > and on github here > https://github.com/runn1ng/ChromeGP > > There are two big issues with it - first is missing signing/signature > control (which should be easy to implement, but we will see) and the > second is OpenPGP's trouble with zip compression inside PGP (which, > unfortunately, causes the default Thunderbird/Enigmail encryption fail > to decrypt, I think). > > Feel free to share and/or criticize :) > > K > > On Thu, Dec 13, 2012 at 1:24 PM, Eugen Leitl > <[email protected]><[email protected]>wrote: > > ----- Forwarded message from StealthMonger > <[email protected]> <[email protected]> ----- > > > > From: StealthMonger > > <[email protected]><[email protected]> > > Date: Wed, 12 Dec 2012 23:22:28 +0000 (GMT) > > To: liberationtech > > <[email protected]><[email protected]> > > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail > > Reply-To: liberationtech > > <[email protected]><[email protected]> > > > > Uncle Zzzen <[email protected]> <[email protected]> writes: > > > [Weighty argument compelling closer study.] > > So unless and until the Mailvelope author(s) remedy this, support for > Mailvelope has to be muted. > > However, comparison with Cryptocat is still unfitting because > Cryptocat does not even pretend to do store-and-forward authenticated > email using public key cryptography. In fact, its author asserts [1] > > 2. Cryptocat does not mean to compete with GPG, it means to replace * > plaintext.* > > [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID: > <caoz60qdzfadz35xjbwkad1vjtt3zzkbp-tw2ipq+sueuzsk...@mail.gmail.com><caoz60qdzfadz35xjbwkad1vjtt3zzkbp-tw2ipq+sueuzsk...@mail.gmail.com> > > > > > -- > > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > ----- End forwarded message ----- > > -- > > Eugen* Leitl <a href="http://leitl.org"; <http://leitl.org>>leitl</a> > http://leitl.org > > ______________________________________________________________ > > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > _______________________________________________ > > http://openpgpjs.org > > -- Thomas Oberndörfer Twitter: https://twitter.com/toberndo LinkedIn: http://de.linkedin.com/in/toberndo
_______________________________________________ http://openpgpjs.org
