[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Ideas to securely implement PGP encryption/decryption
On 10.10.2011 22:29, Fabio Pietrosanti (naif) wrote:
> No code coming from the web would be allowed to interact with the
> plug-in but the end-user will still have all the encryption features
> under his power, usable in a modern web-based world.
The problem Robert and katmagic are referring to (read access to the
DOM) can only be mitigated by disabling active scripting on the pages
where GPG is used. The plugin probably would have to notify the user,
then disable all scripting and reload the page, before executing GPG
functionality. This does not help against the "read plaintext before
encryption" attack, obviously.
At the moment, I cannot think of any attack vectors once you combine it
with enabled Torbutton (or a stripped down Tor Browser) where active
scripting/access to the DOM is disabled completely.
--
Moritz Bartl
https://www.torservers.net/
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk