Hi Kyle and Aaron, let me answer to you by making in Cc the tor-talk mailing lists where there is an on-going discussion about it.
It has been suggested that FireGPG is unsafe (https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your approach by design sounds very nice. I am wondering whether it would be possible to add another simple security mechanism so that the user is "alerted" anytime a GPG related operation is going to be executed. Something like: "The website blahblah.com would like to use PGP to [encrypt|sign|cipher] web-data, do you want to allow it?" Ransom, what do you think about Kyle and Aaron approach? (Eventually including a "pre-warning" for any sensitive operation to the end-user)? By embedding a GPG support into TorBrowserbundle, the Tor Project would eventually provide a "Trusted PGP Key lookup server" on a Tor Hidden Service that forward the PGP key lookup to public internet key servers. I mean, today everything goes over HTTP, but our browsers are capable of doing end-to-end encryption only by using Javascript. Why not try to "enable" the best of Anonimity (Tor) + best of Web Browsing (Firefox) with best of encryption (GPG) ? -naif On 10/10/11 5:22 PM, Kyle L. Huff wrote: > Fabio, > > (I am including Aaron into the conversation; he is a fellow code-monkey > and assists in coding, code management, testing and drinking coffee) > > Inclusion of the webpg-npapi plug-in into the Tor project sounds great > to me, however, I can see a potential issue that might pose a problem - > > Firefox extensions do not (to my knowledge) have a mechanism that allows > you to secure (or make private) a bundled extension. This creates the > issue whereby a website could merely embed an object that requests the > plug-in and then attempts to do things with the interface (i.e. list the > secret keys, import keys, delete keys, etc). > > I am working on some compile-time flags that will allow webpg-npapi to > compile in various modes, for instance: > > 1.) "secured" mode, whereby when the NPAPI plug-in would receive a > request for a keyring operation that does not normally require > authentication, it would initiate a request on the default GPG/PGP key > and only proceed if the secret key was successfully unlocked (i.e. the > passphrase was correct) > > 2.) "unsafe" mode would make it so that no key management methods are > available. Only key operations, such as sign, encrypt, decrypt, etc. > (only methods that already require the secret-key to be unlocked) > > I believe this will limit exposure in the situation with Firefox and > other browsers that don't have a method for securing a bundled plug-in; > however the best solution would be to have the NPAPI plugin only > available via the extension as it is with Chrome/Chromium (this would > require a change in Firefox) > > I don't see any other issue with the inclusion and I am willing to work > with the Tor project where possible to assist in implementation, > licensing, code review or any other changes necessary - should there be > a desire to proceed. > > Regards, > > Kyle Huff _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
