[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Ideas to securely implement PGP encryption/decryption

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
From: Moritz Bartl <moritz@xxxxxxxxxxxxxx>
Date: Tue, 11 Oct 2011 12:59:57 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Oct 2011 07:00:25 -0400
In-reply-to: <20111011020719.GF19690@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E9355A6.8030505@xxxxxxxxxxxxxxx> <4E936FFF.1080507@xxxxxxxxxxxxxx> <20111011020719.GF19690@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 11.10.2011 04:07, Mike Perry wrote:
>> At the moment, I cannot think of any attack vectors once you combine it
>> with enabled Torbutton (or a stripped down Tor Browser) where active
>> scripting/access to the DOM is disabled completely.
> Actually, these attacks are generally prohibited by strong isolation
> between the content script and the XUL script. In XUL, you can read
> the ciphertext, extract it, decrypt it, and display it in a protected
> XUL window without introducing risk, IF all steps are done properly.

I was thinking of the obvious interaction a user expects for encryption
of plaintext data: I type data into a web form, when I am done I execute
the encrypt command.
I don't see how you can isolate web forms in the DOM in a way that it
cannot be read in between typing and encrypting the data.

-- 
Moritz Bartl
https://www.torservers.net/
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Mike Perry

References:
- [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Fabio Pietrosanti (naif)
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Moritz Bartl
- Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
  - From: Mike Perry

Prev by Author: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Next by Author: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Previous by thread: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Next by thread: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Index(es):
- Author
- Thread