(I'm new around these parts, please be gentle :) Could one do what the Mozilla Persona devs do (or, at least, intend to do, from what I can tell), in creating extensions which provide a JS API for the crypto which if there isn't an extension present, falls back onto a JS lib which does the crypto stuff (which sounds like what's happening at the moment), but if there is an extension present, this extension does the crypto instead of the JS lib?
~ Leo On 13/06/13 09:37, Tankred Hase wrote: > IMHO one has to deploy the crypto in a seperate packaged app. Like the > upcoming new chrome/firefox packaged apps, that run in their own > process/window outside of the browser. This of course means that you > habe to write or reuse a whole HTML5 email client. But this will offer > comparable security to other email clients in my opinion and allow you > to integrate crypto and key management directly in to application for an > easier user experience. > > http://developer.chrome.com/apps/about_apps.html > > Seperating crypto/key storage and application logic into sandboxed > iframes while enabling CSP prevents XSS vulnerabilities. And any nasty > things sich as inline scripting, eval and plugins/flash are restricted > in the new chrome apps. > > The only problem that persists when compared to native crypto, as far as > I can tell, are sidechannel attacks, since there aren't any constant > time js crypto implementations. But like you said, you would have to own > the machine to do that. And no crypto can protect you in that case anyway. > > > Am 13.06.2013 um 09:57 schrieb "Thomas Oberndörfer" <[email protected] > <mailto:[email protected]>>: > >> >> Hi, >> >> there is an episode from Hak5 that claims to show a security >> vulnerability of OpenPGP.js: https://www.youtube.com/watch?v=NnHOYSRrqS4 >> >> As an example they demonstrate an "exploit" and extract private keys >> from a Mailvelope and MyMail-Crypt installation. >> >> Basically they own the machine first and then read in the localStorage >> SQL file >> where OpenPGP.js stores the keys in clear text. >> >> My points on this: >> >> - OpenPGP.js is not meant to be for hostile environments >> - This is true for other PGP implementations as well. Take GPG: if you >> own the machine you can also do a "gpg --export-secret-key -a" and get >> all the keys >> - There is a speculation in the episode about a possible attack on the >> localStorage from other addons or external websites. This boils down >> to the never ending discussion if the browser is a suitable platform >> for crypto or not. >> - It would be good to have a more modular persistence layer in >> OpenPGP.js to enable applications to implement their own secure storage. >> >> Any thoughts? >> >> Thanks, >> Thomas >> _______________________________________________ >> >> http://openpgpjs.org > > > _______________________________________________ > > http://openpgpjs.org > _______________________________________________ http://openpgpjs.org
