On 2011-10-10, Fabio Pietrosanti (naif) <li...@infosecurity.ch> wrote: > Hi Kyle and Aaron, > > let me answer to you by making in Cc the tor-talk mailing lists where > there is an on-going discussion about it. > > It has been suggested that FireGPG is unsafe > (https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your approach by > design sounds very nice.
You seem to have missed the point of that page -- the problem with FireGPG is what it allows, not how it was implemented. > I am wondering whether it would be possible to add another simple > security mechanism so that the user is "alerted" anytime a GPG related > operation is going to be executed. > > Something like: > "The website blahblah.com would like to use PGP to [encrypt|sign|cipher] > web-data, do you want to allow it?" > > Ransom, what do you think about Kyle and Aaron approach? (Eventually > including a "pre-warning" for any sensitive operation to the end-user)? A warning before JavaScript enumerates your keyring isn't sufficient. Users must, at a minimum, be able to block all further attempts by a page or website to use GPG features. And even that won't help most users -- a request-for-permission dialog can only protect users who read messages before clicking 'Allow', and who understand that allowing a website to use a GPG plugin is dangerous. > By embedding a GPG support into TorBrowserbundle, the Tor Project would > eventually provide a "Trusted PGP Key lookup server" on a Tor Hidden > Service that forward the PGP key lookup to public internet key servers. No we wouldn't. > I mean, today everything goes over HTTP, but our browsers are capable of > doing end-to-end encryption only by using Javascript. > Why not try to "enable" the best of Anonimity (Tor) + best of Web > Browsing (Firefox) with best of encryption (GPG) ? I don't consider Firefox the 'best of Web Browsing' or GPG the 'best of encryption'. They are only the crap tools we're stuck with for now. Robert Ransom _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk