[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ideas to securely implement PGP encryption/decryption

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
From: Mike Perry <mikeperry@xxxxxxxxxx>
Date: Mon, 10 Oct 2011 19:07:19 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Oct 2011 22:07:34 -0400
In-reply-to: <4E936FFF.1080507@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E9355A6.8030505@xxxxxxxxxxxxxxx> <4E936FFF.1080507@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2.2i

Thus spake Moritz Bartl (moritz@xxxxxxxxxxxxxx):

> On 10.10.2011 22:29, Fabio Pietrosanti (naif) wrote:
> > No code coming from the web would be allowed to interact with the
> > plug-in but the end-user will still have all the encryption features
> > under his power, usable in a modern web-based world.
> 
> The problem Robert and katmagic are referring to (read access to the
> DOM) can only be mitigated by disabling active scripting on the pages
> where GPG is used. The plugin probably would have to notify the user,
> then disable all scripting and reload the page, before executing GPG
> functionality. This does not help against the "read plaintext before
> encryption" attack, obviously.
> 
> At the moment, I cannot think of any attack vectors once you combine it
> with enabled Torbutton (or a stripped down Tor Browser) where active
> scripting/access to the DOM is disabled completely.

Actually, these attacks are generally prohibited by strong isolation
between the content script and the XUL script. In XUL, you can read
the ciphertext, extract it, decrypt it, and display it in a protected
XUL window without introducing risk, IF all steps are done properly.
There are some subtleties here involving special priviledge isolation
wrappers (via XPCSafeJSObjectWrapper and others), but there is no
fundamental reason that it is impossible. Just complicated and tricky,
in either NPAPI and XPCOM (but probably worse with NPAPI, because you
won't get the priviledge isolation wrappers for free like XPCOM).

The one exception is deception: One could imagine all manner of
clickjacking-esque games that could be designed by malicious
javascript to capture context clicks or mouseovers to create a fake
password menu. Authentication and decryption UI should be designed to
exist primarily outside of the content area for this reason.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgp2x_xciukvG.pgp
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Moritz Bartl

References:
- [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Moritz Bartl

Prev by Author: Re: [tor-talk] Tor Browser Bundle: PGP encryption built-in?
Next by Author: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Previous by thread: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Next by thread: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Index(es):
- Author
- Thread