Mozilla, License (again), PPG, GPGME

R. Saravanan saravn@mozdev.org
Wed Mar 20 20:26:01 2002


Regarding Enigmail:

On Fri Mar 15 19:16:01 2002, Werner Koch said:

 > A friend checked it out under Windows and according to him
 > it basically works and he could exchange encrypted or signed mails
 > with Mutt and Gnus users.

Just to confirm that Enigmail, a mozilla "plugin" for GPG/PGP, is now in 
much better shape than it was just a few months ago, and is being used 
by several people.I will shortly post an "official" announcement in the 
users mailing list regarding the availability of Enigmail from 
http://enigmail.mozdev.org

As for Enigmail's architecture, it uses pipes to communicate with 
command-line PGP or GPG; hence no license issues. This seems to work 
fine for encryption/decryption/verification etc. although it could be 
cumbersome for key management, which Enigmail doesn't really do at the 
moment.

As for security, using Enigmail is in a sense only as secure as using 
Mozilla itself. If you are using Mozilla, and a malicious web page 
manages to gain "Universal Browser Access" privileges, it could read or 
write files in your directory, and perhaps even modify your GPG 
executable! Additional insecurities introduced by Enigmail mostly have 
to with obtaining and caching the passphrase. Enigmail has a passphrase 
caching option which can be turned off. Enigmail also takes some basic 
precautions to prevent access to the cached passphrase. There is still 
the possibility of "user interface spoofing" to obtain the passphrase, 
which I don't see a way of completely avoiding. One could perhaps gain 
some extra security by running the Mozilla mailer in a stand-alone mode, 
i.e., not as part of the browser.

Saravanan
Enigmail developer