consensus
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU/consensus] [SocialSwarm-D] PGP Mail Client in the Browser

From: carlo von lynX
Subject: Re: [GNU/consensus] [SocialSwarm-D] PGP Mail Client in the Browser
Date: Fri, 30 Oct 2015 23:53:54 +0100
User-agent: Mutt/1.5.20 (2009-06-14) 
On Fri, Oct 30, 2015 at 08:45:28PM +0100, Per Guth wrote:
> Hello,

Hello Per. Sorry for being again on the opposite dimension
of opinionspace. I don't mean to put you down, I just have
a very skeptical look at things...

> I think this constitutes quite a huge leap forward in terms of
> usability. Basically they combined open source javascript libraries

Wait, first of all the main usability problems of PGP are caused
by SMTP.. therefore changing the UI doesn't address any of those.
I presented about that at http://youbroketheinternet.org/#30c3usability
and collected 15 problems with PGP at http://secushare.org/PGP

By the way, Hartmut, how many of the problems listed on that page
does pEp handle?

> for IMAP, TLS and OpenPGP to form a client side browser based email
> client that is capable of making e2e encrypted mailing charmingly

Reducing the insecurity of PGP even further... while we should
focus on making metadata resistant mail systems!

> easy. That combined with the state of the art UI from
> https://github.com/nylas/N1 would be terrific!

Ricochet or Telegram aren't so ugly either. They are written in Qt.

> Using JavaScript Whiteout will establish a **encrypted end-to-end
> connection** from you browser/the app/the extension **to the IMAP
> server**.

Wow.. now that I call whitewashing. Using the terminology "end-to-end"
to mean the connection to the server is really really selling snake
oil to the people. As if servers where the end of anything.

> Keys can easily be **generated (2048 bit)** on the client,

Trusting JS code from the server...

> **imported, exported and revoked**. Users have the option to use a
> **encrypted private key sync** if they conveniently want to use the
> same key on multiple devices. Whiteout will **transparently search
> for public keys** of peers by querying common public key servers.

Exposing the metadata of communication partners before any mail
has been sent?

> Sent encrypted mails are encrypted to self before they get saved to
> `Sent`.

What happens with unsent drafts? Thunderbird and Claws both had
the bug of sending them to the IMAP server in the clear.

> A **pure Javascript** implementation of the OpenPGP protocol:
> [OpenPGP.js](http://openpgpjs.org/). Only supports browsers that
> implement `window.crypto.getRandomValues`. Code base has undergone
> **two complete security audits** from [Cure53](https://cure53.de/).

Too bad that OpenPGP is really really bad for metadata protection.
One implementation was already one too many.


-- 
  E-mail is public! Talk to me in private using encryption:
         http://loupsycedyglgamf.onion/LynX/
          irc://loupsycedyglgamf.onion:67/lynX
         https://psyced.org:34443/LynX/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]