[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ideas to securely implement PGP encryption/decryption

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
From: Moritz Bartl <moritz@xxxxxxxxxxxxxx>
Date: Tue, 11 Oct 2011 00:21:51 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Oct 2011 18:22:13 -0400
In-reply-to: <4E9355A6.8030505@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E9355A6.8030505@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 10.10.2011 22:29, Fabio Pietrosanti (naif) wrote:
> No code coming from the web would be allowed to interact with the
> plug-in but the end-user will still have all the encryption features
> under his power, usable in a modern web-based world.

The problem Robert and katmagic are referring to (read access to the
DOM) can only be mitigated by disabling active scripting on the pages
where GPG is used. The plugin probably would have to notify the user,
then disable all scripting and reload the page, before executing GPG
functionality. This does not help against the "read plaintext before
encryption" attack, obviously.

At the moment, I cannot think of any attack vectors once you combine it
with enabled Torbutton (or a stripped down Tor Browser) where active
scripting/access to the DOM is disabled completely.

-- 
Moritz Bartl
https://www.torservers.net/
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Mike Perry

References:
- [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Fabio Pietrosanti (naif)

Prev by Author: Re: [tor-talk] [SPAM] Please vote for Torservers so we get 1000 Euro
Next by Author: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Previous by thread: [tor-talk] Ideas to securely implement PGP encryption/decryption
Next by thread: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Index(es):
- Author
- Thread