[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ESD-translators] mailvelope Re: pEp

From: Ineiev
Subject: Re: [ESD-translators] mailvelope Re: pEp
Date: Fri, 27 Jul 2018 13:42:40 -0400
User-agent: Mutt/1.5.21 (2010-09-15)

On Fri, Jul 27, 2018 at 12:54:58AM +0200, Tomas Stary wrote:
> Well, we still don't have a good replacement for email, so it can hardly
> become obsolete. But the webmail is pretty good replacement for email
> clients.
> Also, nothing stops you from using email client if you prefer to,
> because you are still able to decrypt emails from other people that use
> webmail with mailvelope.

But if software on any end is vulnerable, all participants are affected.

> >> Trying to teach those people about email clients besides of teaching
> >> them encryption would only add to their confusion.
> >
> > Then they could try other communications (not email).
> Which one do you suggest?

It's hard for me to suggest anything. I use email.

> However, as I understand it, the mailvelope addon creates a separate
> container outside of the website, where sits the decrypted text, and
> that cannot be accessed from the webpage javascript.
> To the actual website the mailvelope sends only the cyphertext, so the
> attacker could only get the encrypted text through javascript. (but
> correct me if I am wrong)

Let us start from encrypting. the user should enter the clear text
in some area, then it's encrypted and sent. however, once someone
knows that text, they can encrypt it themselves. now, what
if the website popups a control that looks exactly like the one from
mailvelope? the user will think the text is encrypted locally.

When the text is decrypted or signed, I think the website could inject
such controls between the user and mailvelope.

Correct me if I'm wrong.

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]