PGP/GPG does not work easily with web-mail.

Mike Cardwell gnupg at lists.grepular.com
Thu Apr 10 10:42:35 CEST 2014


* on the Wed, Apr 09, 2014 at 11:37:52PM +0100, One Jsim wrote:

> PGP/GPG does not work easily with web-mail.

Roundcube plus the PGP plugin:

http://roundcube.net/
https://github.com/qnrq/rc_openpgpjs

The way it works is pretty cool. You paste your private PGP key into
a form, and it doesn't get submitted to the server, it just gets stored
in the browsers localstorage using JavaScript. So all PGP operations
are done locally in the browser, rather than sending the key off to the
server to do it server side. It's based on openpgp.js, which is basically
a free javascript library for doing OpenPGP:

http://openpgpjs.org/

The only problem is (and it's a big one), you have to trust the
JavaScript that the server sends. The server could always send some
evil JavaScript to you which reads the key from the browser storage
and then sends it back to the server or elsewhere. Also, if there are
any XSS flaws, there's another potential way of losing the key.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: </pipermail/attachments/20140410/4970ac08/attachment.sig>


More information about the Gnupg-users mailing list