On Fri, Oct 30, 2015 at 08:45:28PM +0100, Per Guth wrote: > Hello, Hello Per. Sorry for being again on the opposite dimension of opinionspace. I don't mean to put you down, I just have a very skeptical look at things...
> I think this constitutes quite a huge leap forward in terms of > usability. Basically they combined open source javascript libraries Wait, first of all the main usability problems of PGP are caused by SMTP.. therefore changing the UI doesn't address any of those. I presented about that at http://youbroketheinternet.org/#30c3usability and collected 15 problems with PGP at http://secushare.org/PGP By the way, Hartmut, how many of the problems listed on that page does pEp handle? > for IMAP, TLS and OpenPGP to form a client side browser based email > client that is capable of making e2e encrypted mailing charmingly Reducing the insecurity of PGP even further... while we should focus on making metadata resistant mail systems! > easy. That combined with the state of the art UI from > https://github.com/nylas/N1 would be terrific! Ricochet or Telegram aren't so ugly either. They are written in Qt. > Using JavaScript Whiteout will establish a **encrypted end-to-end > connection** from you browser/the app/the extension **to the IMAP > server**. Wow.. now that I call whitewashing. Using the terminology "end-to-end" to mean the connection to the server is really really selling snake oil to the people. As if servers where the end of anything. > Keys can easily be **generated (2048 bit)** on the client, Trusting JS code from the server... > **imported, exported and revoked**. Users have the option to use a > **encrypted private key sync** if they conveniently want to use the > same key on multiple devices. Whiteout will **transparently search > for public keys** of peers by querying common public key servers. Exposing the metadata of communication partners before any mail has been sent? > Sent encrypted mails are encrypted to self before they get saved to > `Sent`. What happens with unsent drafts? Thunderbird and Claws both had the bug of sending them to the IMAP server in the clear. > A **pure Javascript** implementation of the OpenPGP protocol: > [OpenPGP.js](http://openpgpjs.org/). Only supports browsers that > implement `window.crypto.getRandomValues`. Code base has undergone > **two complete security audits** from [Cure53](https://cure53.de/). Too bad that OpenPGP is really really bad for metadata protection. One implementation was already one too many. -- E-mail is public! Talk to me in private using encryption: http://loupsycedyglgamf.onion/LynX/ irc://loupsycedyglgamf.onion:67/lynX https://psyced.org:34443/LynX/
