Mailvelope browser extension for webmail

Duane Whitty duane at nofroth.com
Mon May 29 13:24:40 CEST 2017


Hi list,

Thoughts on the Mailvelope browser extension...?

Here's some of their material:

https://www.mailvelope.com/en/faq

"What is the purpose of this project?

Mailvelope is an easy-to-use web-browser extension which brings OpenPGP
encryption to webmail services such as Gmail™, Yahoo™ and others. With
its unintrusive interface fully integrated into your webmail service,
Mailvelope instantly secures your personal and professional email
communications."

Next one seems a little concerning to me but I'm no browser expert:

"Where are my keys stored?

Mailvelope stores the keys in the local storage of the browser and only
there. This is a file in the user data directory of Chrome or the
profiles folder of Firefox. If you clear temporary browsing data this
will not affect the key storage of Mailvelope. If you delete the
Mailvelope Chrome extension, then the key storage will also be removed
from your file system. On Firefox there is an additional confirmation
dialog once you remove the Mailvelope add-on that allows to delete all
keys or leave them in the profile folder of the system."

https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox

"15/05/2017 | Security notice: Mailvelope in the current version of
Firefox browser.

We are in the possession of a security audit that was requested by the
email provider Posteo and conducted by Cure53, which has revealed that
the Firefox security structure is currently unable to offer a
sufficiently safe environment for the Mailvelope browser extension.

Mailvelope naturally relies on the security of the underlying browser
platform. In the present case, we are unable to offer a remedy
ourselves. Nevertheless, Mozilla is already working on a fundamental
improvement of the add-on system. In November 2017, Firefox is scheduled
to finally switch to an overhauled add-on structure, which will then
offer sufficient protection against attacks.

A new Mailvelope version for the new, improved Firefox structure is
already in the making.

Until Mozilla has modified the architecture, the following safety
recommendations apply:

    Be sure to use a separate Firefox profile for Mailvelope with no
other extensions installed.
    Make sure your password for your PGP key is as secure as possible.
    Take care that you do not accidentally install any other add-ons in
this profile, which may make you vulnerable to attacks.

The security audit also demonstrated some positive results regarding
Mailvelope. Posteo writes about this:

    There was a check made as to whether email providers for which
Mailvelope is used could access a Mailvelope user’s private keys saved
in the browser – this was not possible. All other attempts made by the
security engineers to access private keys saved in Mailvelope, such as
operating third party websites or man-in-the-middle attacks, were also
unsuccessful.

Security Audits such as the one performed by Posteo serve as an
important indicator that shows how we can further improve Mailvelope. At
this point, we’d like to thank Posteo for conducting the audit and thus
their contribution to the Mailvelope project."

I didn't see any Google related security information or notices.

Best Regards,
Duane

-- 
Duane Whitty
duane at nofroth.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170529/0c6bb577/attachment.sig>


More information about the Gnupg-users mailing list