Re: PGP/GPG does not work easily with web-mail.
* on the Wed, Apr 09, 2014 at 11:37:52PM +0100, One Jsim wrote: > PGP/GPG does not work easily with web-mail. Roundcube plus the PGP plugin: http://roundcube.net/ https://github.com/qnrq/rc_openpgpjs The way it works is pretty cool. You paste your private PGP key into a form, and it doesn't get submitted to the server, it just gets stored in the browsers localstorage using JavaScript. So all PGP operations are done locally in the browser, rather than sending the key off to the server to do it server side. It's based on openpgp.js, which is basically a free javascript library for doing OpenPGP: http://openpgpjs.org/ The only problem is (and it's a big one), you have to trust the JavaScript that the server sends. The server could always send some evil JavaScript to you which reads the key from the browser storage and then sends it back to the server or elsewhere. Also, if there are any XSS flaws, there's another potential way of losing the key. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail
PGP actually does work well with web mail. There are two libraries which do pgp encryption, there are 3 that I know which do AES-SHA256-CBC-PKCS7. There are at least two libraries which do pkdf2 sha 256. There is also one library which does AES-SHA256-GCM, but I'm not sure if it does pkcs7 or not. (or whether padding is incorporated into GCM, need to research). Looking up keys on a pgp key server is trivial, registering a key is also trivial. --- However there are some legitimate concerns. The most important to my mind are javascript injection attacks. For instance, let's say the NSA takes over your web-mail server. You think, "well my users' data is fine, because all of the encryption is happening client side, I never see any of the keys, etc." However the NSA could *force* you to place code inside your server which tells the client to send the keys to you randomly. This would be difficult (not impossible) to detect, and when executed *once* would completely destroy the privacy of the target machine forever. Generally these days, (at least the conversations I've been reading), people are talking about making "plugins" out of the client side code and protecting them through the app store. So, I download the app for the client, I check it's signature. It *NEVER* downloads code again. I think there are some other solutions to this problem, which I could babble about, but won't right here. However, there are still attacks. For instance, I'm the NSA, I've spent the hours necessary reading through your code to know that if I write you an email with SO-and-SO pattern, when you display that e-mail my script will be run. That script then would destroy the privacy. This is a very hard attack to guard against. --- In my webmail I'm developing (I wrote one previously using GWT which was too complicated, too difficult to maintain and enhance, this one is much simpler). My goals are three fold: 1. raise the cost of the NSA exponentially. I want them to have to spend considerable time for each target, instead of just "hey Google, give me these 20,000 peoples' email." 2. re-normalize the idea of privacy. Google has pretty much destroyed privacy. And they are trying to destroy anonymity as well. I believe it is important to have by this year's end at least 10 services running which re-normalize privacy in e-mail. Each service hopefully will castigate Google and call them for what they are. 3. give "good" security. Nothing will protect you if you are *actually* some terrorist or something, but it would be nice if we weren't being big-brothered *all* of the time. --- I encourage you to look at those others people referenced. Also, if you care to, take a look at mine as well. https://github.com/timprepscius/mv If you need any help setting up a server, let me know. If you are versed in sys-admin, it should take 5 minutes to get a VM running, or use something like DigitalOcean. The benefits of my server, (I think), is that you should be able to change how it looks and feels without changing any of the fundamental code. Meaning you can change the html templates and css and what not, and it will still function correctly. It uses Backbone, so the rendering is clearly separated from the code/models. Anyhowz, If you are looking for perfect security, web mail is not the way to go. Hopefully a plugin will be able to provide near-ish the same security that a standalone program with no javascript interpreter might. But that doesn't mean that PGP WebMail won't be a billion-million times better than gmail. (can't wait to leave it! so close, soon soon) Good night, -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail.
You may want to look at these: - http://www.mailvelope.com/ - https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba/details - https://www.penango.com/products Some info about the above: http://www.makeuseof.com/tag/encrypt-your-gmail-hotmail-and-other-webmail-heres-how/ Also, this is a promising project: https://www.mailpile.is/ --aslamK http://gplus.to/akwala PGP key <http://is.gd/aslampgpmit> (id: FECF84FB) fingerprint: 736C D83E 32DB A2FD 0208 9113 0FC8 BA7D FECF 84FB On Wed, Apr 9, 2014 at 6:37 PM, One Jsim wrote: > PGP/GPG does not work easily with web-mail. > > Most email, today, is read and write using the browser > > POP ou IMAP mail is a rarity > > That is the problem > > Some text/link in this problem? > > José Simões > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP/GPG does not work easily with web-mail.
On Wed, Apr 09, 2014 at 11:37:52PM +0100, One Jsim wrote: > PGP/GPG does not work easily with web-mail. > > Most email, today, is read and write using the browser > > POP ou IMAP mail is a rarity > > That is the problem > > Some text/link in this problem? > > José Simões Well... I started to write a firefox addon, but never had enough time to finish it. Perhaps later. If anyone wishes to get what I've done (that is, a js-ctype binding of gpgme, along with tests AFAICR), I can try to locate the source code! However, a major issue remains the encryption of HTML documents, which is, AFAICT, not possible today (well, not automatically at least, as of course gpg can be used to sign html files); and besides not obviously secure: what about white-on-white text and such? I don't doubt there are fixes for such, and most isn't even an issue; I just remember enigmail forbids it, so I guess there are reasons. Sorry for not helping you more, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP/GPG does not work easily with web-mail.
PGP/GPG does not work easily with web-mail. Most email, today, is read and write using the browser POP ou IMAP mail is a rarity That is the problem Some text/link in this problem? José Simões ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
