[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Email provider for privacy-minded folk



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Moritz Bartl:
> Hi,
> 
> On 14.02.2013 11:42, adrelanos wrote:
>> What if Hushmail (or any other mail provider) had recommended the
>> user to install a browser add-on to do encryption locally? Could
>> they get forced to convince the user to install a malicious 
>> browser add on, on request by law enforcement?
> 
> Most likely. Why not?

I was actually thinking exactly this myself.

> 
> "My" way would be to produce the browser addon independently from 
> offering mail services. The mail provider would then just be 
> recommending the "third-party" addon -- even if the addon is made 
> specifically for that service (or web interface).
> 
> Browser plugins for en/decryption were often discussed here and
> you should be aware of their issues. In short, you cannot create a
> safe en/decryption plugin and at the same time have high
> usability.
> 

I don't see any point in a browser extension if you're going to go to
the extent of installing that why not just use an email client.

It would use a lot less bandwidth to use a email client like
Thunderbird and use POP/IMAPS than a web interface anyway.

I'd also argue that it's a lot more secure too, given that
implementations like FireGPG always had issues.

Also, the source code for the extension would need to be available,
and then it would be bound to particular browsers, not a good move in
my opinion.

It would also be only available then on particular platforms. I know
for example with PGP I can decrypt emails on Android using K9/Kaiten
with APG.

Also as it would only be used with one provider, the code would have a
lot less widespread usage in comparison to something like Enigmail and
Thunderbird or Sylpheed etc.

I also think hushmail's Java requiring extension is a lot less usable
than a decent mail client with pgp support, even inexperienced users
detest horribly slow java applets. Then there's also the fact that
Oracle can be kinda slow to fix 0day Java exploits, and those nearly
always revolve around the web browser.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRHPKFAAoJEF2gSFkP1LMTl+wP/io9fHqggZUCQXihfRjVWInF
12xnpJMiM5amVCTHv0ypUEU0FB+zlPRXCZPWOkoKw9P8NK/NZuEq0KFVXT1SKxRS
l2WBmVIdOwj1r7dGxIEc2HL/+St47qunQAWcOluRAvIY1UHFSZFRS29zvQr72WDt
+OYOrciFmR2cu+qMx9xtJzZx3637yZ/VYiHFhrE3bJ2tXAaESmwT78MdhTbJr+/Z
qimUDyUtWt08vuQ6+mbipxVUWBadpw64zvV66v4ZUGoj9utzYqW/PYiYrdZ9Pk7V
Y62mlcN8ylGSfiQDUvmAUcHJgEp8QUlPpVLzYxY4wZHNYLNyMtnHP3qFRb/samix
dXljclYEoGkDxmJFudbI2FQGJAurNYzrz2wE+K4HH307MLE5G4gCIxQ8MdgUZefa
roQkhcSjm2/H+dxGIHBBr5wKjkJ8F41nEnLdtzuOq76zd/n1TgAqAxcLAaNItYql
0qg2+9bmZDZqoVXzqaOsgrkeA0emRObTE4vg4bvVVPxsqSib/YJwlCwmEhSqz8JA
yD+yYqoKnsBRZgQngAV1tQrBJAulFlsnVVLyJ1s52JK+0ZKhY429GQDv/hBA+uke
+f+5n2BfXcJ9ACNt12S9dlBr8jyMDPx16S5b0y/clBUNcK0PtCTsOHAfig2TnXZG
j5IQ8TH/ShiZwCCPgm03
=BYdp
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk