Mailvelope

OpenPGP for the browser

Thomas Oberndörfer / @toberndo / info@mailvelope.com

http://mailvelope.com/

Big Picture

  • OpenPGP encryption for Webmail users
  • Browser extension
  • Based on OpenPGP.js
  • AGPL 3
  • Hosted on GitHub:
    https://github.com/toberndo/mailvelope
  • Available for Chrome (since August 2012) and Firefox

Why?

Favorite excuse not to encrypt email:

"I use webmail..."

~425 Million active Gmail users in 2012

How?

Preconfigured for providers:

Mailvelope is a generic solution:

  • Add sites to watchlist
  • No mail provider specific coding
  • Works for all websites*

* theoretically

Threat Model

  • A rogue sender: due to lack of server-side XSS filtering the extension must filter any rich-content after decryption or render the content in a safe way
  • A rogue web-mailer: attempting to gain information on the plaintext before encryption or after decryption. Goal: Even if the mail provider has malicious intent, all data must be safe
  • A rogue third party: potentially attacking the web-mailer or any other website the user is active on; it is trying to find a lever to get a handle on the decrypted information or any other secret used during the process of creating, encrypting, receiving, decrypting and reading mails

Demo

Decrypt Demo

-----BEGIN PGP MESSAGE-----
Version: Mailvelope v0.7.0
Comment: Email security by Mailvelope - http://www.mailvelope.com

wcBMA24g0z4p0oGOAQgAkqwAgkcOI6juBxhFVUWNOhFxm4qcSrpfn40sAnuC
kjxWpewRxOVMK9Q3dWd0swHNZsr2OSU60Gn9+75HF7k7xX8HZNWObnF1oeUz
BrKcMFAN3qzHRXkRP5XWna+Sl8vOh7bcEx/gyTFX++WnUvODJJYbY0Lh7DTj
DiO6u3bt4OEjyYsjG2N/WgHuv0PvM10cAotV5ENfSaxN37s+DAL2sHayRE8+
Ufs+F5JjRhn3vUnb9kJkIqHzUGketiFhx0KvVIWCUFfEiOZkj/XTzXerFhx6
Gr+kWWLV4cLeuD0CKsgz2ZZeuqdEvyLk6uh7zqhiXVjxdmdwdjCaMO/IT6R0
3dKZASPVB8E4WLl84RUIY4HcJiB1eqtc5T4egRHaUq79PHUfdUFpm06vZdWj
s48y8FmrUYgdL5c2HZBtCoC0Mt7oZVbbo10JopFEcxIzbjdPcWgnWYyWH0g/
373kR1u9yCdl+u80ArbeqF/Lsm2DvQ6Qn4VI7XtW4tdAYUXXUx8QM2l4LWRL
TrwVVGrqTgMdm2Xe995NjsyIEleg
=ehFS
-----END PGP MESSAGE-----
            

Encrypt Demo

OpenPGP.js

  • implements RFC4880 in JavaScript
  • LGPL 2.1, initially developed by recurity-labs.com
  • new modular design released Jan. 10, 2014
  • Node.js: https://npmjs.org/package/openpgp
  • Keys in local storage of browser
  • Use in packaged apps or browser extension and with CSP

Security Audits

Future

  • Signing and verification
  • Key server integration
  • Attachments
  • PGP/MIME
  • I18N
  • and more...

Contributers welcome!

Thank you!

Q & A