[tor-talk] Tor Browser Bundle: PGP encryption built-in?

Mike Perry mikeperry at fscked.org
Mon Oct 10 20:07:25 UTC 2011


Thus spake Arturo Filastò (art at globaleaks.org):

> I actually think it would be a great idea to include PGP encryption
> support into the browser.
> I remember discussing this with Jake some time ago of maybe in the
> future having a bundle for Thunderbird and enigmail. I don't see why it
> it a bad idea to move one step closer into that direction by including
> PGP in the TBB.

I think the enigmail vulnerability surface is way more manageable than
an arbitrary webby one, though perhaps less useful.

> >>   It also seems it was using a "bad design" practice for the IPC
> >> communications between various modules.
> >>
> >> * NPAPI based GPG is just released (by old FirePGP contributor)
> >>   https://github.com/kylehuff/webpg-npapi
> >>
> >> Having a support for GPG encryption into a generic browser, with PGP
> >> operations usable from Javascript/XUL, could open a lot of improvements
> >> and opportunities to secure Webmail and other web applications.
> > No.  See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but
> > beware -- I'm sure katmagic and I missed a few dozen attacks.
> >
> Well that attack proposed there is pretty basic, I really think this is
> a useful idea and it should not be discarded with no thought.

The problem with a browser extension is that the very thing that makes
it useful is what makes it so risky. A GPG plugin of any kind becomes
a vector for all sorts of nasty web attacks that would have normally
been stopped by the server, such as XSS, XSRF, and various sorts of
webbugs. On top of that, you need to protect against XUL XSS (which
yields arbitrary code exec), as well as the privacy issues of
leaking side-channels about the existence of certain keys in an
otherwise anonymous browsing session.

I'm not sure exactly what the FireGPG author expects to gain my moving
all of this stuff to NPAPI. A naive use of his NPAPI code could easily
lead to an *increase* in the vulnerability surface, not a decrease.
And that's even assuming he codes the NPAPI bits safely.

I think your first task is to find out exactly what this guy thinks he
did wrong in JS+XPCOM, and why moving to a more complicated language
like C++ will make it better, and not worse.

If he won't answer or won't tell you, stay the hell away from his
code.

> >> What do you think about it? 
> > No.
> >
> Robert, why do you have to be so negative?

I think Robert is negative because the idea just sets off all sorts of
warning bells. 

I definitely agree that this doesn't make the idea not worth doing.
Personally, I think it would be way easier and safer to devote the
effort into securing Thunderbird for GPG and Tor so we could just
bundle that, but I understand the benefits and appeal of having
everything in the browser.

But man, tread with care. GPG-in-a-browser is like a minefield of
killer beehives in a jungle filled with wild dogs. Oh yeah, and when
the dogs bark, they shoot bees at you.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111010/2f9922af/attachment.pgp>


More information about the tor-talk mailing list