Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Can Google's new "End to End" leak plaintext via the DOM? [was: Re: Mailvelope: OpenPGP Encryption for Webmail]

StealthMonger StealthMonger at
Thu Jun 12 13:36:15 PDT 2014

Uncle Zzzen <unclezzzen at> writes:

> The reason why FireGPG no longer ships with tails is that the DOM of a web
> app is not a safe place for plaintext
> Any architecture where plaintext is stored inside a web app's DOM is
> dangerous. Especially a webmail app that can be expected to save drafts,
> but not only. Web apps can be MITMed, XSSed, etc. If it came via the web,
> it's a suspect.

> I'd expect a crypto add-on to only accept plaintext (and other sensitive)
> information via separate GUI that can only be launched manually (not via
> javascript in an app's DOM) and has a hard-to-imitate look-and-feel (to
> discourage phishing). The only communication between this add-on and the
> rest of the browser should be via the clipboard. Users who can't handle
> copy/paste shouldn't be trusted with a key pair :)

A prominent new entry in OpenPGP encrypted webmail is Google's
"end-to-end" [1,2].  Does it avoid this issue?  How?



 -- StealthMonger
    Long, random latency is part of the price of Internet anonymity.

Key: mailto:stealthsuite at

More information about the liberationtech mailing list