On Mon, Jul 22, 2013 at 1:10 PM, Kd M <[email protected]> wrote: > There is a wide open space for improving privacy and security on the > internet. Little to nothing has changed since 1992 when Steve jobs demoed > email encryption (http://youtu.be/7mgG4a591zQ?t=59m38s). The world > changed though and many people use webmail these days. This is a space > where Mozilla could take upon itself to set standards by introducing the > means to securely generate and store key pairs, exposing this through API's > for extensions or rolling one that is actually usable and integrated for > all. >
For the purposes of email encryption, isn't JS fast enough to have pure-JS PGP implementations? Couldn't WebMail providers like GMail already use such an pure-JS PGP implementation without any native browser support? If we provided websites with the ability to use "securely stored" keypairs to encrypt/decrypt PGP email, then a malicious/compromised webmail provider could just use those APIs to decrypt your private email. And/or they could send themselves the plaintext of your email while you are writing it in the email composer part of the web app. If you have a concrete proposal for how to solve the problem where your email provider could steal the plaintext of your messages even if we provided native crypto support, then we may be able to make some progress. > It would be pertinent to look ahead and support the design of distributed > DNS systems. This can not be done with extensions. In 1990 in response to > concerns from the EU that ICANN may permit the USG to abuse DNS for > national reasons they responded saying they would only ever ensure the > functionality of the internet. 3 years ago they were responsible for > helping DHS take down URLs that linked to content or were political in > nature. So supporting distributed DNS is the right thing to do to protect > the neutrality of the internet in the future. > I suggest you start this discussion on dev-tech-network. I suggest trying to include more specific/concrete suggestions for an alternative to DNS. I don't think that replacing DNS is completely out of the question, but it would be a difficult sell. > Finally, and this i guess is the hardest sell, Mozilla should use > duckduckgo by default. > I think it is good to at least file a bug about making it easier for users to switch their browser to DuckDuckGo. (AFAICT, it is already pretty easy to switch to DuckDuckGo because they advertise their Firefox extension on their website. Perhaps we could make the installation of that extension easier in some way.) > If none of these are things Mozilla is able to do I would be happy to join > a fork or hear from developers interesting in building a truly privacy > conscious, while still usable, browser. > There are many like-minded people within the Mozilla project and even within Mozilla Corporation. It is relatively easy to create a crypto API for web pages. The harder part is creating a mechanism that allow websites to use it in a way that they cannot abuse it. It is relatively easy to implement a new domain name protocol; the hard part is convincing people that it is practical to implement it. AFAICT, the problem with DuckDuckGo is simply that it isn't clear that most Firefox users prefer DuckDuckGo over Google. So, DuckDuckGo might simply not be a reasonable choice as a default for a mass-market product like Firefox. But, we should make it easy to switch to DuckDuckGo if the user really wants to try it. Cheers, Brian _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
