OK then, I probably read your comment wrong. On the other hand, I just find the "DOM encryption" insecure by design and it's actually negative to provide users false hope of security.
K On Mon, Dec 17, 2012 at 3:29 PM, Thomas Oberndörfer <[email protected]> wrote: > Some clarification on this topic from my side. > >> Because Thomas (the original developer of Mailvelope) wanted to let >> the extension work as it was, with the unsecure encryption inside DOM, > > > This is not my position. I commented on this topic as follows: > >> But of course best is to have the choice. Therefore I would like to see >> two different modes in Mailvelope: >> the current one (as default) that is integrated in webmail with all the >> risk and all the comfort. >> And a second one that offers strong isolation but maybe less usability. >> The mode is then configurable in the settings. > > see: https://github.com/toberndo/mailvelope/issues/14 > > I agree that the security limitations of Mailvelope have not been > communicated properly from the start. > It's a young project, I didn't see all implications from the beginning and > there has been also no security audit yet. > Meanwhile I put a section in the documentation that describe the limitations > to my best knowledge: > http://www.mailvelope.com/help#security > > Mailvelope has a strong focus on usability. It wants to lower the barriers > of entry to email encryption for people > with previously no experience in this field. > The question I want to ask with this project is: let's assume there is a > correlation between the usability of a security solution > and the number of people who are willing to use it. There should be a big > target group who either use a convenient solution > or stay away from e.g. email encryption at all. A copy&paste solution from > Karel (and optional with Mailvelope in the future) > could be already above the pain barrier of this group. > Now given this target group and the two alternatives: either no encryption > or Mailvelope (with its limitations). Does the whole situation > regarding mass surveillance of email traffic improve, zero effect, gets > worse? > > I am thankful for all insights about this question. > > Thomas > > P.S. Could somebody please forward this mail to the liberationtech mailing > list in the relevant thread? I just subscribed... > > > > > > On Mon, Dec 17, 2012 at 2:02 PM, Fabio Pietrosanti (naif) > <[email protected]> wrote: >> >> FYI >> >> -------- Original Message -------- >> Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for >> Webmail >> Date: Mon, 17 Dec 2012 11:27:26 +0100 >> From: Karel Bílek <[email protected]> >> Reply-To: liberationtech <[email protected]> >> To: Eugen Leitl <[email protected]>, [email protected] >> CC: Cypherpunks list <[email protected]> >> >> >> >> Because Thomas (the original developer of Mailvelope) wanted to let >> the extension work as it was, with the unsecure encryption inside DOM, >> I decided to fork his project and make a new one, which both encrypts >> and decrypts in a secure chrome pop-up. >> >> It's here, it's called ChromeGP. >> https://cryptoparty.cz/ChromeGP/ >> >> Available on chrome web store here >> >> https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf >> >> and on github here >> https://github.com/runn1ng/ChromeGP >> >> There are two big issues with it - first is missing signing/signature >> control (which should be easy to implement, but we will see) and the >> second is OpenPGP's trouble with zip compression inside PGP (which, >> unfortunately, causes the default Thunderbird/Enigmail encryption fail >> to decrypt, I think). >> >> Feel free to share and/or criticize :) >> >> K >> >> On Thu, Dec 13, 2012 at 1:24 PM, Eugen Leitl <[email protected]> wrote: >> > ----- Forwarded message from StealthMonger >> > <[email protected]> ----- >> > >> > From: StealthMonger <[email protected]> >> > Date: Wed, 12 Dec 2012 23:22:28 +0000 (GMT) >> > To: liberationtech <[email protected]> >> > Subject: Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail >> > Reply-To: liberationtech <[email protected]> >> > >> >> Uncle Zzzen <[email protected]> writes: >> >> > [Weighty argument compelling closer study.] >> >> So unless and until the Mailvelope author(s) remedy this, support for >> Mailvelope has to be muted. >> >> However, comparison with Cryptocat is still unfitting because >> Cryptocat does not even pretend to do store-and-forward authenticated >> email using public key cryptography. In fact, its author asserts [1] >> >> 2. Cryptocat does not mean to compete with GPG, it means to replace * >> plaintext.* >> >> [1] Date: Mon, 6 Aug 2012 18:14:33 -0700 Message-ID: >> <caoz60qdzfadz35xjbwkad1vjtt3zzkbp-tw2ipq+sueuzsk...@mail.gmail.com> >> >> > >> > -- >> > Unsubscribe, change to digest, or change password at: >> > https://mailman.stanford.edu/mailman/listinfo/liberationtech >> > >> > ----- End forwarded message ----- >> > -- >> > Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org >> > ______________________________________________________________ >> > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org >> > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE >> -- >> Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> >> >> _______________________________________________ >> >> http://openpgpjs.org >> > > > > -- > Thomas Oberndörfer > Twitter: https://twitter.com/toberndo > LinkedIn: http://de.linkedin.com/in/toberndo > > > _______________________________________________ > > http://openpgpjs.org > _______________________________________________ http://openpgpjs.org
