[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ESD-translators] mailvelope Re: pEp
|
From: |
Tomas Stary |
|
Subject: |
Re: [ESD-translators] mailvelope Re: pEp |
|
Date: |
Sat, 28 Jul 2018 11:36:12 +0200 |
Ineiev:
> On Fri, Jul 27, 2018 at 12:54:58AM +0200, Tomas Stary wrote:
>>
>> Well, we still don't have a good replacement for email, so it can hardly
>> become obsolete. But the webmail is pretty good replacement for email
>> clients.
>>
>> Also, nothing stops you from using email client if you prefer to,
>> because you are still able to decrypt emails from other people that use
>> webmail with mailvelope.
>
> But if software on any end is vulnerable, all participants are affected.
>
Quite true, depends on the level of thread you are trying to protect
yourself against.
If it is profiling from automated text-analysers for advertisement
purposes, you are probably safe.
If it is targeted attack on your person by intelligence services you
might not be.
>>>> Trying to teach those people about email clients besides of teaching
>>>> them encryption would only add to their confusion.
>>>
>>> Then they could try other communications (not email).
>>
>> Which one do you suggest?
>
> It's hard for me to suggest anything. I use email.
>
>> However, as I understand it, the mailvelope addon creates a separate
>> container outside of the website, where sits the decrypted text, and
>> that cannot be accessed from the webpage javascript.
>>
>> To the actual website the mailvelope sends only the cyphertext, so the
>> attacker could only get the encrypted text through javascript. (but
>> correct me if I am wrong)
>
> Let us start from encrypting. the user should enter the clear text
> in some area, then it's encrypted and sent. however, once someone
> knows that text, they can encrypt it themselves. now, what
> if the website popups a control that looks exactly like the one from
> mailvelope? the user will think the text is encrypted locally.
>
> When the text is decrypted or signed, I think the website could inject
> such controls between the user and mailvelope.
>
> Correct me if I'm wrong.
>
Good point. In mailvelope they tried to address it by "security
background" image. Quote:
"""
The security background helps prevent user interface manipulations by
third-party websites and applications. To increase security, create and
change your customized Mailvelope background here.
"""
So it is harder for the attacker to mimic your customized background.