Encrypted drafts #96
Comments
|
The counter measure currently is to disable automatic drafting. There is also a trigger on the beforesavedraft JS event prompting a confirm() prompting the user before continuing. What's your stake on this? I agree, drafts should be encrypted if stored at all. The problem is that there's no real clean way of doing it. The ugly version would be to load the message into a variable (client RAM), encrypting the message in a beforesavedraft event catcher (already in place), overwriting the message content box with the encrypted message, saving the draft and finally after saving the draft (we need some form of callback, I'm sure that can be arranged) rewriting the message content box with the cleartext value previously stored. This solution would probably be resourcefully noticeable for certain users, for example there's a complaint about crypto speed in #99. What's your idea of implementation? I can build it easily, but what's your opinion on the flow - besides that it should work, obviously? |
|
Am 2013-10-07 18:56, schrieb Niklas Szilágyi Femerstrand:
It makes abolutely no sense to send encrypted mails but store them So I suggest to store encrypted drafts by default and provide an option Regards, Renne |
|
Did you even read what I wrote? |
|
What a nightmare :-)
Either that, or, as a less drastic measure, draft saving could be prevented if the "encrypt" option for the message is active. |
|
The Roundcube 1.0-beta includes saving drafts in local storage. Am I adventureous thinking that resolves all of this? http://trac.roundcube.net/milestone/1.0-beta |
|
No, I think that's a good approach. Temporary drafts can be stored in local storage. When the user leaves the email editing window and hasn't send the mail, he can be asked if he wants to store the final draft encrypted on the server or keep it unencrypted on the local machine. The only thing I'm worried about is the 5 MByte limit of HTML5 storage. |
|
The topic says "As it makes no sense to send an email encrypted while storing a clear text draft convienently for intellegence agencies". So the point is about an agency spying on the mailserver. If they already have write access to your webserver, you cannot trust roundcubemail at all - so no rc plugin can ever recover your privacy. So while only saving encrypted drafts certainly removes some additional attack vendors, sending encrypted mails while keeping an unencrypted copy still protects you from some attack vendors and thus the plugin remains useful. |
|
In most cases (e.g. big mail providers) intelligence agencies will spy but not tamper the server to avoid leaving tracks or upset thousands of customers by breaking the service. But there's even a workaround for protecting the code against changing. If Roundcube runs as a HTML5 offline app and the user has to allow downloading a new version, he at least knows when code changes. And storing an unencryted draft at any service breaks privacy as a lot of providers scan their customers mail (e.g. for personalized advertisement) or even sell information about their customers. So I suggest to store final drafts encrypted on the server and use local (unecrypted) caching for snapshot drafts. |
|
I agree with @encomiast . If box is checked, encrypt, save. If not. No worries. We could add a handle on saving the unencrypted draft a warning like "Draft Saved UNENCRYPTED". I'm also dealing with a similar issue but I'll open another thread for that. |
Maybe not write, but read, and maybe after the email has arrived. Spying begins somewhere, and fighting LEO is often a race condition. |
As it makes no sense to send an email encrypted while storing a clear text draft convienently for intellegence agencies, I suggest to encrypt ALL messages stored on servers.
The text was updated successfully, but these errors were encountered: