[tor-talk] Tor Browser Bundle: PGP encryption built-in?

Robert Ransom rransom.8774 at gmail.com
Fri Oct 14 20:35:35 UTC 2011 

On 2011-10-10, Arturo Filastò <art at globaleaks.org> wrote:
> On 10/10/11 9:44 AM, Robert Ransom wrote:
>> On 2011-10-10, Fabio Pietrosanti (naif) <lists at infosecurity.ch> wrote:
>>> is anyone evaluating whenever to include PGP encryption support into the
>>> default Tor Browser Bundle as a Firefox extension?
>> No.
>>
> I actually think it would be a great idea to include PGP encryption
> support into the browser.
> I remember discussing this with Jake some time ago of maybe in the
> future having a bundle for Thunderbird and enigmail. I don't see why it
> it a bad idea to move one step closer into that direction by including
> PGP in the TBB.

Adding GPG to a web browser does not move us any steps closer to
having a mail user agent audited and packaged for use with Tor.


>>> I looked at the implementation and:
>>>
>>> * FireGPG it's discontinued http://getfiregpg.org/s/install
>>>   It also seems it was using a "bad design" practice for the IPC
>>> communications between various modules.
>>>
>>> * NPAPI based GPG is just released (by old FirePGP contributor)
>>>   https://github.com/kylehuff/webpg-npapi
>>>
>>> Having a support for GPG encryption into a generic browser, with PGP
>>> operations usable from Javascript/XUL, could open a lot of improvements
>>> and opportunities to secure Webmail and other web applications.
>> No.  See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but
>> beware -- I'm sure katmagic and I missed a few dozen attacks.
>>
> Well that attack proposed there is pretty basic, I really think this is
> a useful idea and it should not be discarded with no thought.

There are two attacks on that page.  When I thought of the
keyring-enumeration attack listed there, I hadn't heard of the
plaintext-leak attack yet, so I thought that only FireGPG's API was
dangerous, and then only to Tor users who might be trying to remain
anonymous or pseudonymous.  (I have since realized that I really don't
want an attacker to be able to read my keyring, even if They know who
I am already.)

Then katmagic told us about the plaintext-leak attacks on FireGPG, and
I thought ‘Oh crap, that's *scary*.’.  And *then* I discarded the idea
of GPG-in-a-browser.

These are not attacks on easily-avoided flaws in FireGPG's
implementation.  These are attacks on FireGPG's *purpose* -- *any*
browser extension that did what FireGPG was *designed* to do would be
vulnerable to these attacks.

The Mikes and katmagic are trying to come up with new designs that
could, in theory, be implemented safely.  In practice, if you try to
let users enter text to be encrypted into something that looks like a
web form, an attacker *will* find a way to fool users into entering
their plaintext into something that JavaScript can read from (or
intercept key-press events for...), because a web form can be made to
look like your GPG plaintext-entry area.  So the only option is to
have users enter plaintext into something that is clearly a separate
window, and clearly not under the control of any web page -- and that
defeats most of the purpose of putting GPG in a browser.


>>> At http://globaleaks.org we'll most probably need such kind of support
>>> into the browser and we're wondering if this could accomodate a standard
>>> "requirement" of the Tor Project for the Tor Browser Bundle.
>> No.
>>
> I must also here disagree, but I think I am a bit biased .
>
> Anyways as I said, it would be of great use for people to be able to
> user PGP built into the browser, at least for sending encrypted email.
>
> It should not be implemented in a rush, but the gain that can be drawn
> from such a feature is not slim.

The gain is slim compared to the difficulty of designing a secure GPG
browser extension and implementing it securely.  Auditing a real MUA
for use with Tor would be less difficult and *far* more useful.

Also, we don't have room left in TBB for a GPG distribution at the
moment.  Firefox and Qt are too bloated.


> Instead of having people download and install complicated software to
> send me and an encrypted message I can point them to the TBB and they
> are all set. Not at all a badi dea.

It's a bad idea if an attacker is very likely to succeed at grabbing
users' plaintexts.


>>> It would be also possible to easily make very simple "XUL" interfaces to
>>> handle basic PGP based file encryption operations, de-facto bundling a
>>> GPG client (with a Browser UI) into the TorBrowserBundle.
>> This sounds reasonable, except for the parts about the XUL interface
>> and the browser-based UI.  It also sounds rather like GPG4Win, except
>> for those parts.
>>
>>> What do you think about it?
>> No.
>>
> Robert, why do you have to be so negative?

FireGPG was dangerous because it worked as designed.  You (GlobaLeaks)
started by proposing to implement the same design (including the API)
again.

Now you've backpedaled to trying to find *some* set of features that
will let you bolt GPG onto the side of a browser, for no reason that I
can see other than that you are determined to not give up on putting
GPG in a browser *somehow*, even if you can't integrate it usefully
into ‘Webmail and other web applications’ as you said you wanted to.

If your goal is GPG-in-a-browser for its own sake, go ahead and
implement it.  I doubt that it will ever be useful, but it's your
choice.

But if your goal is to let users send or receive encrypted and/or
signed e-mail anonymously or pseudonymously, GPG-in-a-browser is the
wrong means to reach your goal.


Robert Ransom

More information about the tor-talk mailing list