[tor-talk] Ideas to securely implement PGP encryption/decryption
Moritz Bartl
moritz at torservers.net
Tue Oct 11 10:59:57 UTC 2011
On 11.10.2011 04:07, Mike Perry wrote:
>> At the moment, I cannot think of any attack vectors once you combine it
>> with enabled Torbutton (or a stripped down Tor Browser) where active
>> scripting/access to the DOM is disabled completely.
> Actually, these attacks are generally prohibited by strong isolation
> between the content script and the XUL script. In XUL, you can read
> the ciphertext, extract it, decrypt it, and display it in a protected
> XUL window without introducing risk, IF all steps are done properly.
I was thinking of the obvious interaction a user expects for encryption
of plaintext data: I type data into a web form, when I am done I execute
the encrypt command.
I don't see how you can isolate web forms in the DOM in a way that it
cannot be read in between typing and encrypting the data.
--
Moritz Bartl
https://www.torservers.net/
More information about the tor-talk
mailing list