[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Fwd: Tor Browser Bundle: PGP encryption built-in?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Fwd: Tor Browser Bundle: PGP encryption built-in?
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Mon, 10 Oct 2011 21:54:09 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Oct 2011 17:54:26 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+KC5oLK64/lNMyzQ3IaQDeiuKn/9e7sSzIeGfHDwM7A=; b=r4NrDCxkHSn2P25KQCqCPrsIlSW9g/yCP0ok8yMcpfzqa3L90HYYWdzEymp1l7S+l5 LVoapQ2ZUhdp8/71yoeRw9SISgaO/aqYpBTA7Ekpnfe7knc1AAxbpD0eAdtj3F4WoZQx 9bbjmF3jkTdmtO/unDEoMkOO/hYBVHuRwxbAU=
In-reply-to: <4E931200.5090807@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E928D52.4080204@xxxxxxxxxxxxxxx> <4E930D98.7000107@xxxxxxxxxxxxxxx> <4E931200.5090807@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 2011-10-10, Fabio Pietrosanti (naif) <lists@xxxxxxxxxxxxxxx> wrote:
> Hi Kyle and Aaron,
>
> let me answer to you by making in Cc the tor-talk mailing lists where
> there is an on-going discussion about it.
>
> It has been suggested that FireGPG is unsafe
> (https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your approach by
> design sounds very nice.

You seem to have missed the point of that page -- the problem with
FireGPG is what it allows, not how it was implemented.

> I am wondering whether it would be possible to add another simple
> security mechanism so that the user is "alerted" anytime a GPG related
> operation is going to be executed.
>
> Something like:
> "The website blahblah.com would like to use PGP to [encrypt|sign|cipher]
> web-data, do you want to allow it?"
>
> Ransom, what do you think about Kyle and Aaron approach? (Eventually
> including a "pre-warning" for any sensitive operation to the end-user)?

A warning before JavaScript enumerates your keyring isn't sufficient.
Users must, at a minimum, be able to block all further attempts by a
page or website to use GPG features.

And even that won't help most users -- a request-for-permission dialog
can only protect users who read messages before clicking 'Allow', and
who understand that allowing a website to use a GPG plugin is
dangerous.

> By embedding a GPG support into TorBrowserbundle, the Tor Project would
> eventually provide a "Trusted PGP Key lookup server" on a Tor Hidden
> Service that forward the PGP key lookup to public internet key servers.

No we wouldn't.

> I mean, today everything goes over HTTP, but our browsers are capable of
> doing end-to-end encryption only by using Javascript.
> Why not try to "enable" the best of Anonimity (Tor) + best of Web
> Browsing (Firefox) with best of encryption (GPG) ?

I don't consider Firefox the 'best of Web Browsing' or GPG the 'best
of encryption'.  They are only the crap tools we're stuck with for
now.

Robert Ransom
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Fwd: Tor Browser Bundle: PGP encryption built-in?
  - From: Fabio Pietrosanti (naif)

Prev by Author: Re: [tor-talk] Tor Browser Bundle: PGP encryption built-in?
Next by Author: Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
Previous by thread: Re: [tor-talk] Fwd: Tor Browser Bundle: PGP encryption built-in?
Next by thread: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Index(es):
- Author
- Thread