[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ESD-translators] mailvelope Re: pEp

From: Tomas Stary
Subject: Re: [ESD-translators] mailvelope Re: pEp
Date: Sat, 28 Jul 2018 11:36:12 +0200

> On Fri, Jul 27, 2018 at 12:54:58AM +0200, Tomas Stary wrote:
>> Well, we still don't have a good replacement for email, so it can hardly
>> become obsolete. But the webmail is pretty good replacement for email
>> clients.
>> Also, nothing stops you from using email client if you prefer to,
>> because you are still able to decrypt emails from other people that use
>> webmail with mailvelope.
> But if software on any end is vulnerable, all participants are affected.

Quite true, depends on the level of thread you are trying to protect
yourself against.

If it is profiling from automated text-analysers for advertisement
purposes, you are probably safe.

If it is targeted attack on your person by intelligence services you
might not be.

>>>> Trying to teach those people about email clients besides of teaching
>>>> them encryption would only add to their confusion.
>>> Then they could try other communications (not email).
>> Which one do you suggest?
> It's hard for me to suggest anything. I use email.
>> However, as I understand it, the mailvelope addon creates a separate
>> container outside of the website, where sits the decrypted text, and
>> that cannot be accessed from the webpage javascript.
>> To the actual website the mailvelope sends only the cyphertext, so the
>> attacker could only get the encrypted text through javascript. (but
>> correct me if I am wrong)
> Let us start from encrypting. the user should enter the clear text
> in some area, then it's encrypted and sent. however, once someone
> knows that text, they can encrypt it themselves. now, what
> if the website popups a control that looks exactly like the one from
> mailvelope? the user will think the text is encrypted locally.
> When the text is decrypted or signed, I think the website could inject
> such controls between the user and mailvelope.
> Correct me if I'm wrong.

Good point. In mailvelope they tried to address it by "security
background" image. Quote:

The security background helps prevent user interface manipulations by
third-party websites and applications. To increase security, create and
change your customized Mailvelope background here.

So it is harder for the attacker to mimic your customized background.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]