[liberationtech] Mailvelope: OpenPGP Encryption for Webmail

Thomas Oberndörfer toberndo at yarkon.de
Mon Dec 17 14:28:10 PST 2012 

I just joined this list and wanted to share my view on a post from Karel:

> Because Thomas (the original developer of Mailvelope) wanted to let
> the extension work as it was, with the unsecure encryption inside DOM,

This was not my position. I commented on this topic as follows:

> But of course best is to have the choice. Therefore I would like to see two different modes in Mailvelope:
> the current one (as default) that is integrated in webmail with all the risk and all the comfort.
> And a second one that offers strong isolation but maybe less usability. The mode is then configurable in the settings.

see: https://github.com/toberndo/mailvelope/issues/14

I agree that the security limitations of Mailvelope have not been
communicated properly from the start.
It's a young project, I didn't see all implications from the beginning
and there has been also no security audit yet.
Meanwhile I put a section in the documentation that describe the
limitations to my best knowledge:
http://www.mailvelope.com/help#security

Mailvelope has a strong focus on usability. It wants to lower the
barriers of entry to email encryption for people
with previously no experience in this field.
The question I want to ask with this project is: let's assume there is
a correlation between the usability of a security solution and the
number of people who are willing to use it.
There should be a big target group who either use a convenient
solution or stay away from e.g. email encryption at all. A copy&paste
solution from Karel (and optional with Mailvelope in the future) could
be already above the pain barrier of this group.
Now given this target group and the two alternatives: either no
encryption or Mailvelope (with its limitations).
Does the whole situation regarding mass surveillance of email traffic
improve, zero effect, gets worse?
I am thankful for all insights about this question.

Thomas


> -------- Original Message --------
> Subject:     Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail
> Date:     Mon, 17 Dec 2012 11:27:26 +0100
> From:     Karel Bílek <kb at karelbilek.com>
> Reply-To:     liberationtech <liberationtech at lists.stanford.edu>
> To:     Eugen Leitl <eugen at leitl.org>, liberationtech at lists.stanford.edu
> CC:     Cypherpunks list <cypherpunks at al-qaeda.net>
>
> Because Thomas (the original developer of Mailvelope) wanted to let
> the extension work as it was, with the unsecure encryption inside DOM,
> I decided to fork his project and make a new one, which both encrypts
> and decrypts in a secure chrome pop-up.
>
> It's here, it's called ChromeGP.
> https://cryptoparty.cz/ChromeGP/
>
> Available on chrome web store here
> https://chrome.google.com/webstore/detail/chromegp/pebhdbojdpjfidjbneklefmpojncdpmf
>
> and on github here
> https://github.com/runn1ng/ChromeGP
>
> There are two big issues with it - first is missing signing/signature
> control (which should be easy to implement, but we will see) and the
> second is OpenPGP's trouble with zip compression inside PGP (which,
> unfortunately, causes the default Thunderbird/Enigmail encryption fail
> to decrypt, I think).
>
> Feel free to share and/or criticize :)
>
> K

More information about the liberationtech mailing list