[tor-talk] Fwd: Tor Browser Bundle: PGP encryption built-in?

Fabio Pietrosanti (naif) lists at infosecurity.ch
Mon Oct 10 15:40:48 UTC 2011


Hi Kyle and Aaron,

let me answer to you by making in Cc the tor-talk mailing lists where
there is an on-going discussion about it.

It has been suggested that FireGPG is unsafe
(https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your approach by
design sounds very nice.

I am wondering whether it would be possible to add another simple
security mechanism so that the user is "alerted" anytime a GPG related
operation is going to be executed.

Something like:
"The website blahblah.com would like to use PGP to [encrypt|sign|cipher]
web-data, do you want to allow it?"

Ransom, what do you think about Kyle and Aaron approach? (Eventually
including a "pre-warning" for any sensitive operation to the end-user)?

By embedding a GPG support into TorBrowserbundle, the Tor Project would
eventually provide a "Trusted PGP Key lookup server" on a Tor Hidden
Service that forward the PGP key lookup to public internet key servers.

I mean, today everything goes over HTTP, but our browsers are capable of
doing end-to-end encryption only by using Javascript.
Why not try to "enable" the best of Anonimity (Tor) + best of Web
Browsing (Firefox) with best of encryption (GPG) ?

-naif

On 10/10/11 5:22 PM, Kyle L. Huff wrote:
> Fabio,
> 
> (I am including Aaron into the conversation; he is a fellow code-monkey
> and assists in coding, code management, testing and drinking coffee)
> 
> Inclusion of the webpg-npapi plug-in into the Tor project sounds great
> to me, however, I can see a potential issue that might pose a problem -
> 
> Firefox extensions do not (to my knowledge) have a mechanism that allows
> you to secure (or make private) a bundled extension. This creates the
> issue whereby a website could merely embed an object that requests the
> plug-in and then attempts to do things with the interface (i.e. list the
> secret keys, import keys, delete keys, etc).
> 
> I am working on some compile-time flags that will allow webpg-npapi to
> compile in various modes, for instance:
> 
> 1.) "secured" mode, whereby when the NPAPI plug-in would receive a
> request for a keyring operation that does not normally require
> authentication, it would initiate a request on the default GPG/PGP key
> and only proceed if the secret key was successfully unlocked (i.e. the
> passphrase was correct)
> 
> 2.) "unsafe" mode would make it so that no key management methods are
> available. Only key operations, such as sign, encrypt, decrypt, etc.
> (only methods that already require the secret-key to be unlocked)
> 
> I believe this will limit exposure in the situation with Firefox and
> other browsers that don't have a method for securing a bundled plug-in;
> however the best solution would be to have the NPAPI plugin only
> available via the extension as it is with Chrome/Chromium (this would
> require a change in Firefox)
> 
> I don't see any other issue with the inclusion and I am willing to work
> with the Tor project where possible to assist in implementation,
> licensing, code review or any other changes necessary - should there be
> a desire to proceed.
> 
> Regards,
> 
> Kyle Huff



More information about the tor-talk mailing list