On 08/24/2013 05:13 PM, Francisco Ruiz wrote: > > My encryption app, PassLok, is currently in the shape of a standalone, > static web page with two text boxes where users copy and paste plain > or encrypted messages. I am considering the possibility of making a > browser extension version out of it, probably along the lines of > myMail-crypt or Mailvelope for Chrome, to provide a tighter > integration with email programs (or at least with Gmail, which is very > popular these days). >
I suspect you're going to get lots of different answers to this question, but here is how I see it: Offering a browser extension or downloadable application is far superior to having it in website format, because you can offer GPG signatures and the user doesn't have to worry that you've been forced to change the code server-side (or that they've got network interference). You shouldn't be storing collections of passwords on your server, in any format, ever. This is just begging for trouble, either from hackers, broken servers, or government agencies. Release your app as a proper downloaded app. Allow people to save their passwords locally. And have someone help you with threat modeling. It doesn't prevent all problems, but it turns a huge problem into a few small problems, and puts much of the burden back onto the user to secure their computer and local network. Just my $0.02 best, Griffin -- "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
