[liberationtech] Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)

Tue Jan 21 21:11:40 PST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/21/2014 8:52 PM, Andrés Leopoldo Pacheco Sanfuentes wrote:

> What is the "value proposition" of changing email client from
> Gmail?
> 

Please don't feed the troll.

Thank you.

- - ferg

> On Jan 21, 2014 10:24 PM, "Tony Arcieri" <bascule at gmail.com 
> <mailto:bascule at gmail.com>> wrote:
> 
> On Tue, Jan 21, 2014 at 6:53 PM, Fabio Pietrosanti (naif) 
> <lists at infosecurity.ch <mailto:lists at infosecurity.ch>> wrote:
> 
> I just would like to argue that the delivery (download, 
> installation, upgrade) of an Chrome App is far more secure than an
> native application with an executable installer, due to the trust
> model of application store and the reduced risks of being 
> hijacked/infected during the download.
> 
> 
> Yes and no.
> 
> It's true that Chrome extensions distributed through Google's
> walled garden are more secure than typing an address into your URL
> bar.
> 
> It's true that native applications have wide-ranging capabilities 
> that browser extensions don't.
> 
> But it's important to keep in mind that browser extensions are 
> fraught with their own problems, and that browsers are complex 
> beasts with even more complex potential interactions between 
> components, the possibilities of which are extremely hard to 
> understand, even by the browser authors themselves.
> 
> Where browser extensions can fall down is unexpected interactions 
> with web pages and JavaScript running on them. This is a problem 
> that native apps don't have because the browser is attempting to
> act as a sandbox, so escalating privilege from a JavaScript to
> access to native code execution is much more difficult than
> escalating privileges to interact with browser extensions
> unexpectedly. In this regard, native apps are superior, because the
> browser is trying to prevent that interaction from happening.
> Native apps are "airgapped" from web pages in a way browser
> extensions are not.
> 
> This is a good talk on the matter, specifically in regard to
> Chrome:
> 
> http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions
>
>  Don't get me wrong, things are getting better, but we're not 
> completely there yet.
> 
> -- Tony Arcieri
> 

- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLfUwsACgkQKJasdVTchbKpwQD5ARHMTMUwUnt3r3FeeCWvzzB1
W+jWmAk/pIvZPOltOf8BAMAiTOu8wbzawNSP8I+svj+TlrlEM13FNJ2ALRamFGqB
=5BXU
-----END PGP SIGNATURE-----