Thus spake Arturo Filastò (art@xxxxxxxxxxxxxx): > I actually think it would be a great idea to include PGP encryption > support into the browser. > I remember discussing this with Jake some time ago of maybe in the > future having a bundle for Thunderbird and enigmail. I don't see why it > it a bad idea to move one step closer into that direction by including > PGP in the TBB. I think the enigmail vulnerability surface is way more manageable than an arbitrary webby one, though perhaps less useful. > >> It also seems it was using a "bad design" practice for the IPC > >> communications between various modules. > >> > >> * NPAPI based GPG is just released (by old FirePGP contributor) > >> https://github.com/kylehuff/webpg-npapi > >> > >> Having a support for GPG encryption into a generic browser, with PGP > >> operations usable from Javascript/XUL, could open a lot of improvements > >> and opportunities to secure Webmail and other web applications. > > No. See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but > > beware -- I'm sure katmagic and I missed a few dozen attacks. > > > Well that attack proposed there is pretty basic, I really think this is > a useful idea and it should not be discarded with no thought. The problem with a browser extension is that the very thing that makes it useful is what makes it so risky. A GPG plugin of any kind becomes a vector for all sorts of nasty web attacks that would have normally been stopped by the server, such as XSS, XSRF, and various sorts of webbugs. On top of that, you need to protect against XUL XSS (which yields arbitrary code exec), as well as the privacy issues of leaking side-channels about the existence of certain keys in an otherwise anonymous browsing session. I'm not sure exactly what the FireGPG author expects to gain my moving all of this stuff to NPAPI. A naive use of his NPAPI code could easily lead to an *increase* in the vulnerability surface, not a decrease. And that's even assuming he codes the NPAPI bits safely. I think your first task is to find out exactly what this guy thinks he did wrong in JS+XPCOM, and why moving to a more complicated language like C++ will make it better, and not worse. If he won't answer or won't tell you, stay the hell away from his code. > >> What do you think about it? > > No. > > > Robert, why do you have to be so negative? I think Robert is negative because the idea just sets off all sorts of warning bells. I definitely agree that this doesn't make the idea not worth doing. Personally, I think it would be way easier and safer to devote the effort into securing Thunderbird for GPG and Tor so we could just bundle that, but I understand the benefits and appeal of having everything in the browser. But man, tread with care. GPG-in-a-browser is like a minefield of killer beehives in a jungle filled with wild dogs. Oh yeah, and when the dogs bark, they shoot bees at you. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpkxNL91a5CY.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk