[tor-talk] Mailpile SMTorP [ref: nexgen P2P email]
Yuri
yuri at rawbw.com
Thu May 21 19:03:24 UTC 2015
On 05/21/2015 00:41, grarpamp wrote:
> This eliminates the fact that all these new centralised OpenPGP
> webmail providers will have access to your keys/cleartext, because
> either:
> A) it resides there
> B) the malware they give you to run in your browser gives it away.
On one hand, Mailpile is after security, which is great. But on the
other hand they use node which doesn't sign packages, therefore being
vulnerable to MITM attacks. I think, node js is either fundamentally
opposed to signing, or wants to bundle it with their commercial version,
or something like that. With this trade-off (convenience of node vs
security), Mailpile certainly doesn't look like as secure as such system
could be.
Node js also has the insecure command that downloads code direct from
github. So if some github project gets hijacked or bought out, guess
what will happen?
Yuri
More information about the tor-talk
mailing list