Mozilla, License (again), PPG, GPGME
R. Saravanan
saravn@mozdev.org
Wed Mar 20 20:26:01 2002
Regarding Enigmail:
On Fri Mar 15 19:16:01 2002, Werner Koch said:
> A friend checked it out under Windows and according to him
> it basically works and he could exchange encrypted or signed mails
> with Mutt and Gnus users.
Just to confirm that Enigmail, a mozilla "plugin" for GPG/PGP, is now in
much better shape than it was just a few months ago, and is being used
by several people.I will shortly post an "official" announcement in the
users mailing list regarding the availability of Enigmail from
http://enigmail.mozdev.org
As for Enigmail's architecture, it uses pipes to communicate with
command-line PGP or GPG; hence no license issues. This seems to work
fine for encryption/decryption/verification etc. although it could be
cumbersome for key management, which Enigmail doesn't really do at the
moment.
As for security, using Enigmail is in a sense only as secure as using
Mozilla itself. If you are using Mozilla, and a malicious web page
manages to gain "Universal Browser Access" privileges, it could read or
write files in your directory, and perhaps even modify your GPG
executable! Additional insecurities introduced by Enigmail mostly have
to with obtaining and caching the passphrase. Enigmail has a passphrase
caching option which can be turned off. Enigmail also takes some basic
precautions to prevent access to the cached passphrase. There is still
the possibility of "user interface spoofing" to obtain the passphrase,
which I don't see a way of completely avoiding. One could perhaps gain
some extra security by running the Mozilla mailer in a stand-alone mode,
i.e., not as part of the browser.
Saravanan
Enigmail developer