Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Mailvelope: OpenPGP Encryption for Webmail

Thomas Oberndörfer toberndo at
Mon Dec 17 14:28:10 PST 2012

I just joined this list and wanted to share my view on a post from Karel:

> Because Thomas (the original developer of Mailvelope) wanted to let
> the extension work as it was, with the unsecure encryption inside DOM,

This was not my position. I commented on this topic as follows:

> But of course best is to have the choice. Therefore I would like to see two different modes in Mailvelope:
> the current one (as default) that is integrated in webmail with all the risk and all the comfort.
> And a second one that offers strong isolation but maybe less usability. The mode is then configurable in the settings.


I agree that the security limitations of Mailvelope have not been
communicated properly from the start.
It's a young project, I didn't see all implications from the beginning
and there has been also no security audit yet.
Meanwhile I put a section in the documentation that describe the
limitations to my best knowledge:

Mailvelope has a strong focus on usability. It wants to lower the
barriers of entry to email encryption for people
with previously no experience in this field.
The question I want to ask with this project is: let's assume there is
a correlation between the usability of a security solution and the
number of people who are willing to use it.
There should be a big target group who either use a convenient
solution or stay away from e.g. email encryption at all. A copy&paste
solution from Karel (and optional with Mailvelope in the future) could
be already above the pain barrier of this group.
Now given this target group and the two alternatives: either no
encryption or Mailvelope (with its limitations).
Does the whole situation regarding mass surveillance of email traffic
improve, zero effect, gets worse?
I am thankful for all insights about this question.


> -------- Original Message --------
> Subject:     Re: [liberationtech] Mailvelope: OpenPGP Encryption for Webmail
> Date:     Mon, 17 Dec 2012 11:27:26 +0100
> From:     Karel Bílek <kb at>
> Reply-To:     liberationtech <liberationtech at>
> To:     Eugen Leitl <eugen at>, liberationtech at
> CC:     Cypherpunks list <cypherpunks at>
> Because Thomas (the original developer of Mailvelope) wanted to let
> the extension work as it was, with the unsecure encryption inside DOM,
> I decided to fork his project and make a new one, which both encrypts
> and decrypts in a secure chrome pop-up.
> It's here, it's called ChromeGP.
> Available on chrome web store here
> and on github here
> There are two big issues with it - first is missing signing/signature
> control (which should be easy to implement, but we will see) and the
> second is OpenPGP's trouble with zip compression inside PGP (which,
> unfortunately, causes the default Thunderbird/Enigmail encryption fail
> to decrypt, I think).
> Feel free to share and/or criticize :)
> K

More information about the liberationtech mailing list