Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Can Google's new "End to End" leak plaintext via the DOM? [was: Re: Mailvelope: OpenPGP Encryption for Webmail]

StealthMonger StealthMonger at nym.mixmin.net
Thu Jun 12 13:36:15 PDT 2014


Uncle Zzzen <unclezzzen at gmail.com> writes:

> The reason why FireGPG no longer ships with tails is that the DOM of a web
> app is not a safe place for plaintext
> https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/
> Any architecture where plaintext is stored inside a web app's DOM is
> dangerous. Especially a webmail app that can be expected to save drafts,
> but not only. Web apps can be MITMed, XSSed, etc. If it came via the web,
> it's a suspect.

> I'd expect a crypto add-on to only accept plaintext (and other sensitive)
> information via separate GUI that can only be launched manually (not via
> javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to
> discourage phishing). The only communication between this add-on and the
> rest of the browser should be via the clipboard. Users who can't handle
> copy/paste shouldn't be trusted with a key pair :)

A prominent new entry in OpenPGP encrypted webmail is Google's
"end-to-end" [1,2].  Does it avoid this issue?  How?

[1] https://code.google.com/p/end-to-end/
[2] http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html

-- 


 -- StealthMonger
    Long, random latency is part of the price of Internet anonymity.


Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key




More information about the liberationtech mailing list