Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Wed, Dec 15, 2010 at 4:23 PM, Ted Unangst wrote: > On Wed, Dec 15, 2010 at 3:51 PM, Kevin Chadwick wrote: >> That's about the third time it's been recommended and I've kept meaning >> to look at it. I've been installing it for ages. Just loaded it up and >> from the name was expecting a graphical curses browser but was rather >> pleasantly surprised. Time to keep an eye on the source and try to find >> out how likely it is to avoid exploits that affect firefox. (with >> javascript disabled, theres no point striving for the impossible) > > no disrespect to marco, but it's nothing more than a (lighter than > usual) shim around webkit. B it's just like safari, chrome, midori, > arora, etc., wrt files it will try parsing and the attack surface so > exposed. > > I thought that the point about xxxterm was nice keybindings, a nice configuration file and some keyboard free interface...
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Wed, Dec 15, 2010 at 3:51 PM, Kevin Chadwick wrote: > That's about the third time it's been recommended and I've kept meaning > to look at it. I've been installing it for ages. Just loaded it up and > from the name was expecting a graphical curses browser but was rather > pleasantly surprised. Time to keep an eye on the source and try to find > out how likely it is to avoid exploits that affect firefox. (with > javascript disabled, theres no point striving for the impossible) no disrespect to marco, but it's nothing more than a (lighter than usual) shim around webkit. it's just like safari, chrome, midori, arora, etc., wrt files it will try parsing and the attack surface so exposed.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Wed, 15 Dec 2010 20:55:21 + Fred Crowson wrote: > On 14/12/2010, Kevin Chadwick wrote: > > > are rarely as bad. A graphical and simple (probably impossible) OpenBSD > > browser, would really be something, but now I'm just dreaming. > > > xxxterm should fit that description. > > hth > > Fred > (Sent from xxxterm :~]) > That's about the third time it's been recommended and I've kept meaning to look at it. I've been installing it for ages. Just loaded it up and from the name was expecting a graphical curses browser but was rather pleasantly surprised. Time to keep an eye on the source and try to find out how likely it is to avoid exploits that affect firefox. (with javascript disabled, theres no point striving for the impossible) Just looking at the library's and memory usage I'd probably have to say close but I'm not yet sure if it get's the cigar. Looks like it fits it's intended anticlutter and maximum screen real estate intentions but it would be nice if security was one of it's main aims. It does appear to be a third of the size of firefox though :-)
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On 14/12/2010, Kevin Chadwick wrote: > are rarely as bad. A graphical and simple (probably impossible) OpenBSD > browser, would really be something, but now I'm just dreaming. xxxterm should fit that description. hth Fred (Sent from xxxterm :~])
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, 14 Dec 2010 16:38:54 -0800 xSAPPYx wrote: > Dan Kaminsky (http://dankaminsky.com) has been working on "Domain Key > Infrastructure" bootstrapped of of dnssec that looks pretty > interesting. I'm not sure where the video is for this talk (it was at > blackhat/defcon 2010), but I found the slides.. > http://www.slideshare.net/dakami/phreebird-suite-10-introducing-the-domain-key-infrastructure he is not the only one doin keys via dns(sec). verisign had a reason to sell their ca-buisness when they did.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, Dec 14, 2010 at 5:19 PM, Johan Beisser wrote: > On Tue, Dec 14, 2010 at 2:06 PM, Tomas Vavrys wrote: >> Is there a light at the end of the tunnel somewhere to make email >> secure even for amateurs who don't know how to use PGP? I'm very >> curious about the future of email, especially now. I would like to >> hear opinions of OpenBSD wizards. The thing is that it is very hard to >> persuade someone to use PGP all the time. > > PGP has gotten easier with various front ends. Take a look at GPG Made > Easy for an example of simplifying the library calls for application > access to PGP encryption. Typing "pgp --make-it-safe" or clicking a button has never been the hard part. The key management and trust clusterfuck is the hard part. Kaminksy's "DNS is the root of all certs" approach looks promising, so I think there's a chance we'll see real progress within ten years.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
Dan Kaminsky (http://dankaminsky.com) has been working on "Domain Key Infrastructure" bootstrapped of of dnssec that looks pretty interesting. I'm not sure where the video is for this talk (it was at blackhat/defcon 2010), but I found the slides.. http://www.slideshare.net/dakami/phreebird-suite-10-introducing-the-domain-key-infrastructure On Tue, Dec 14, 2010 at 14:06, Tomas Vavrys wrote: > Is there a light at the end of the tunnel somewhere to make email > secure even for amateurs who don't know how to use PGP? I'm very > curious about the future of email, especially now. I would like to > hear opinions of OpenBSD wizards. The thing is that it is very hard to > persuade someone to use PGP all the time. > > 2010/12/13 Joel Wiramu Pauling : >> On 13 December 2010 22:23, Joachim Schipper >> wrote: >>> On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: Joel Wiramu Pauling wrote: > Marti Martinez wrote: > > Ted Unangst wrote: > >> At some point you're going to realize that the javascript that > >> decrypts your mail has to come from someplace. > > > > A better alternative would be a PGP browser addon (...) > > [See] firegpg firegpg is the only way I can get friends and family to communicate with me securely. I don't even know what the interface looks like, but it does work (apparently). >>> >>> It's unmaintained. I would also be surprised if the server can't get at >>> your plaintext (e.g. with Javascript, or even Java/Flash). >>> >>> You may want to look at >>> http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and >>> the comments (in particular, my >>> >> > http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-623 >> 9). >>> >>> Summary: it doesn't work, and can't work unless you add a plugin with >>> *many* restrictions. >>> >>> B B B B B B B B B B B B B B B Joachim >>> >>> -- >>> PotD: devel/ivy - dependency manager for Java >>> http://www.joachimschipper.nl/ >>> >> >> Firegpg was basically just chrome extensions to local(read client) >> side gpg binaries. It wasn't insecure for the reasons you cite, the >> author just got sick of having to update it to work with gmail (it's >> initial target). It is still useful for easy access to gpg functions >> within firefox.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
2010/12/14 Kevin Chadwick : > On Tue, 14 Dec 2010 23:06:49 +0100 > it is very hard to persuade someone to use PGP in the first place, and > even harder to believe they have a secure machine. I have a great experience with Pidgin and OTR. Even a child could handle the first authorization after a simple installation of OTR plugin. A lot of my friends use it now, because I have encouraged a little paranoia in them. However, it's not email though.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, 14 Dec 2010 23:33:13 +0100 Tomas Vavrys wrote: > Well, since Egypt we know that it's not going to happen. > > 2010/12/14 roberth : > > On Tue, 14 Dec 2010 23:06:49 +0100 > > Tomas Vavrys wrote: > > > >> Is there a light at the end of the tunnel somewhere to make email > >> secure even for amateurs who don't know how to use PGP? I'm very > >> curious about the future of email, especially now. I would like to > >> hear opinions of OpenBSD wizards. The thing is that it is very > >> hard to persuade someone to use PGP all the time. > > > > yes, as strange as it sounds, the solution is called education. > btw, you top top-posted on purpose to make your point, didn't you?
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, 14 Dec 2010 23:33:13 +0100 Tomas Vavrys wrote: > Well, since Egypt we know that it's not going to happen. > > 2010/12/14 roberth : > > On Tue, 14 Dec 2010 23:06:49 +0100 > > Tomas Vavrys wrote: > > > >> Is there a light at the end of the tunnel somewhere to make email > >> secure even for amateurs who don't know how to use PGP? I'm very > >> curious about the future of email, especially now. I would like to > >> hear opinions of OpenBSD wizards. The thing is that it is very > >> hard to persuade someone to use PGP all the time. > > > > yes, as strange as it sounds, the solution is called education. > egypt what? lots of goverments are working hard on getting darwin back into our daily life. too weak or stupid? you die. some people have the patience to teach, others don't. old people miss the cuteness factor of children, but still... everybody should have experienced how satisfying it is to see senior home inhabitants starting to teach "the internet" to others once they got it. what really stands out is, that they don't expect all the girls on a social networking site to have to show them theirs because they uploaded a photo of theirs. :)
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, Dec 14, 2010 at 2:06 PM, Tomas Vavrys wrote: > Is there a light at the end of the tunnel somewhere to make email > secure even for amateurs who don't know how to use PGP? I'm very > curious about the future of email, especially now. I would like to > hear opinions of OpenBSD wizards. The thing is that it is very hard to > persuade someone to use PGP all the time. PGP has gotten easier with various front ends. Take a look at GPG Made Easy for an example of simplifying the library calls for application access to PGP encryption. jb
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
Well, since Egypt we know that it's not going to happen. 2010/12/14 roberth : > On Tue, 14 Dec 2010 23:06:49 +0100 > Tomas Vavrys wrote: > >> Is there a light at the end of the tunnel somewhere to make email >> secure even for amateurs who don't know how to use PGP? I'm very >> curious about the future of email, especially now. I would like to >> hear opinions of OpenBSD wizards. The thing is that it is very hard to >> persuade someone to use PGP all the time. > > yes, as strange as it sounds, the solution is called education.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, 14 Dec 2010 23:06:49 +0100 Tomas Vavrys wrote: > The thing is that it is very hard to > persuade someone to use PGP all the time. it is very hard to persuade someone to use PGP in the first place, and even harder to believe they have a secure machine. Sometimes you may find encrypted pdfs are an easy solution but then if they're running adobe reader or worse flash then they're almost guaranteed to have had a known exploit every week for the last I'll let you know when they stop. Of course you could say similar about firefox, but the exploits are rarely as bad. A graphical and simple (probably impossible) OpenBSD browser, would really be something, but now I'm just dreaming. On the other hand, the fact it is hard to get someone to use gpg may mean that if they do then you can trust them to a higher degree than if it was already setup for all users. You can use gpg to securely talk to yourself, of course.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Tue, 14 Dec 2010 23:06:49 +0100 Tomas Vavrys wrote: > Is there a light at the end of the tunnel somewhere to make email > secure even for amateurs who don't know how to use PGP? I'm very > curious about the future of email, especially now. I would like to > hear opinions of OpenBSD wizards. The thing is that it is very hard to > persuade someone to use PGP all the time. yes, as strange as it sounds, the solution is called education.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
Is there a light at the end of the tunnel somewhere to make email secure even for amateurs who don't know how to use PGP? I'm very curious about the future of email, especially now. I would like to hear opinions of OpenBSD wizards. The thing is that it is very hard to persuade someone to use PGP all the time. 2010/12/13 Joel Wiramu Pauling : > On 13 December 2010 22:23, Joachim Schipper > wrote: >> On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: >>> Joel Wiramu Pauling wrote: >>> > Marti Martinez wrote: >>> > > Ted Unangst wrote: >>> > >> At some point you're going to realize that the javascript that >>> > >> decrypts your mail has to come from someplace. >>> > > >>> > > A better alternative would be a PGP browser addon (...) >>> > >>> > [See] firegpg >>> >>> firegpg is the only way I can get friends and family to communicate >>> with me securely. I don't even know what the interface looks like, but >>> it does work (apparently). >> >> It's unmaintained. I would also be surprised if the server can't get at >> your plaintext (e.g. with Javascript, or even Java/Flash). >> >> You may want to look at >> http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and >> the comments (in particular, my >> > http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-623 > 9). >> >> Summary: it doesn't work, and can't work unless you add a plugin with >> *many* restrictions. >> >> B B B B B B B B B B B B B B B Joachim >> >> -- >> PotD: devel/ivy - dependency manager for Java >> http://www.joachimschipper.nl/ >> > > Firegpg was basically just chrome extensions to local(read client) > side gpg binaries. It wasn't insecure for the reasons you cite, the > author just got sick of having to update it to work with gmail (it's > initial target). It is still useful for easy access to gpg functions > within firefox.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On 13 December 2010 22:23, Joachim Schipper wrote: > On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: >> Joel Wiramu Pauling wrote: >> > Marti Martinez wrote: >> > > Ted Unangst wrote: >> > >> At some point you're going to realize that the javascript that >> > >> decrypts your mail has to come from someplace. >> > > >> > > A better alternative would be a PGP browser addon (...) >> > >> > [See] firegpg >> >> firegpg is the only way I can get friends and family to communicate >> with me securely. I don't even know what the interface looks like, but >> it does work (apparently). > > It's unmaintained. I would also be surprised if the server can't get at > your plaintext (e.g. with Javascript, or even Java/Flash). > > You may want to look at > http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and > the comments (in particular, my > http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-623 9). > > Summary: it doesn't work, and can't work unless you add a plugin with > *many* restrictions. > > B B B B B B B B Joachim > > -- > PotD: devel/ivy - dependency manager for Java > http://www.joachimschipper.nl/ > Firegpg was basically just chrome extensions to local(read client) side gpg binaries. It wasn't insecure for the reasons you cite, the author just got sick of having to update it to work with gmail (it's initial target). It is still useful for easy access to gpg functions within firefox.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Sun, Dec 12, 2010 at 09:11:16PM -0700, Travis King wrote: > Joel Wiramu Pauling wrote: > > Marti Martinez wrote: > > > Ted Unangst wrote: > > >> At some point you're going to realize that the javascript that > > >> decrypts your mail has to come from someplace. > > > > > > A better alternative would be a PGP browser addon (...) > > > > [See] firegpg > > firegpg is the only way I can get friends and family to communicate > with me securely. I don't even know what the interface looks like, but > it does work (apparently). It's unmaintained. I would also be surprised if the server can't get at your plaintext (e.g. with Javascript, or even Java/Flash). You may want to look at http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/ and the comments (in particular, my http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/#comment-6239). Summary: it doesn't work, and can't work unless you add a plugin with *many* restrictions. Joachim -- PotD: devel/ivy - dependency manager for Java http://www.joachimschipper.nl/
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Mon, 13 Dec 2010 16:57:52 +1300 Joel Wiramu Pauling wrote: > On 13 December 2010 16:13, Marti Martinez > wrote: > > On Sun, Dec 12, 2010 at 11:32 AM, Ted Unangst > > wrote: > >> > >> At some point you're going to realize that the javascript that > >> decrypts your mail has to come from someplace. > > > > A better alternative would be a PGP browser addon, which I think > > already exists (but I'm too lazy to check on). > > Certainly does: firegpg firegpg is the only way I can get friends and family to communicate with me securely. I don't even know what the interface looks like, but it does work (apparently). -- end
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On 13 December 2010 16:13, Marti Martinez wrote: > On Sun, Dec 12, 2010 at 11:32 AM, Ted Unangst wrote: >> On Sun, Dec 12, 2010 at 1:16 PM, Alexander Shulgin >> wrote: >>> I know it might sound funny, but what do you guys think about >>> feasibility of massively automatic PGP web mail with all >>> encryption/decryption done through javascript in the client's browser? >> >> At some point you're going to realize that the javascript that >> decrypts your mail has to come from someplace. >> >> > > A better alternative would be a PGP browser addon, which I think > already exists (but I'm too lazy to check on). Certainly does: firegpg
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Sun, Dec 12, 2010 at 11:32 AM, Ted Unangst wrote: > On Sun, Dec 12, 2010 at 1:16 PM, Alexander Shulgin > wrote: >> I know it might sound funny, but what do you guys think about >> feasibility of massively automatic PGP web mail with all >> encryption/decryption done through javascript in the client's browser? > > At some point you're going to realize that the javascript that > decrypts your mail has to come from someplace. > > A better alternative would be a PGP browser addon, which I think already exists (but I'm too lazy to check on). Granted, you still have to trust your browser/addon maker to a certain extent, but presumably if you're looking for web based mail encryption, you already do.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Sun, Dec 12, 2010 at 20:32, Ted Unangst wrote: > On Sun, Dec 12, 2010 at 1:16 PM, Alexander Shulgin > wrote: >> I know it might sound funny, but what do you guys think about >> feasibility of massively automatic PGP web mail with all >> encryption/decryption done through javascript in the client's browser? > > At some point you're going to realize that the javascript that > decrypts your mail has to come from someplace. Ah, valid claim, thanks. This part definitely needs re-thinking :) As far as I understand, SSL can only guarantee you that javascript came from the site you'd expect it come from, but there's nothing that will stop the site admin/hijacker (if any) to alter the script in some clever way. At this point it boils down again to the privately owned server. -- Alex
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
On Sun, Dec 12, 2010 at 1:16 PM, Alexander Shulgin wrote: > I know it might sound funny, but what do you guys think about > feasibility of massively automatic PGP web mail with all > encryption/decryption done through javascript in the client's browser? At some point you're going to realize that the javascript that decrypts your mail has to come from someplace.
Re: [Was: OT - gmail alternatives] PGP web mail anyone?
> what do you guys think Personally, ... > web mail ... i consider that a contradiction, and stupid one.
[Was: OT - gmail alternatives] PGP web mail anyone?
On Thu, Dec 9, 2010 at 17:01, lh wrote: > Hi, > > what are the good available alternatives (security/privacy) for gmail > you're using? I know it might sound funny, but what do you guys think about feasibility of massively automatic PGP web mail with all encryption/decryption done through javascript in the client's browser? I've being thinking about this possiblity for a while now and it looks really promissing to me. As a proof of concept, there's already some effort to provide OpenPGP-compatible implementation in javascript, here: http://www.hanewin.net/encrypt/ The idea is that all mail sent through web interface will be automatically encrypted (if recepient public key is available; if recipient is @ our secure mail, we pick the public key automatically) and signed, all this done on the client side and then uploaded to the server. If user's inbox contains any encrypted messages they will be decrypted on the client side, as naturally only the client has the private key. I can go into some further details of my vision on this if anyone shows interest in it. -- Cheers, Alex