[guardian-dev] Is there security risks on developing OTR addons for web browsers ?

Mohamed Akram Tabka tabkram at gmail.com
Wed Sep 25 18:07:21 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thank you for the explanation. I have a clear idea now.
the add-on on should be totally separated :)

A.

On 25/09/13 22:32, Natanael wrote:
> The general idea is that it's too easy to break crypto on the web.
> 
> Attackers can often too easily inject malicious javascript, often 
> disabling any encryption or leaking the private keys, and in 
> practically all cases leak the plaintext (the sent messages). Like 
> with the case of fake SSL certs being used against Gmail users,
> this is something to take seriously since these attacks can be
> 100% transparent to the user, there's often nothing at all that
> would seem suspicious to the user.
> 
> If you want to do crypto in a browser addon, then don't bother
> trying to interact with web pages if you want to make sure it's
> secure even against powerful attackers, do it in a separate window
> or sidebar where an attacker can't easily mess with your system.
> 
> On Wed, Sep 25, 2013 at 11:15 PM, Mohamed Akram Tabka
> <tabkram at gmail.com> wrote: Hi all, I'm thinking about developping
> an OTR addon for handling OTR discussions on web browsers. Is it
> really secure ? Does really browser extensions for crypto
> operations pose threats to users security?
> 
> If it is not recommended to develop crypto addons for browsers
> please tell me.
> 
> All bests, A.
> 
>> _______________________________________________ Guardian-dev
>> mailing list
>> 
>> Post: Guardian-dev at lists.mayfirst.org List info:
>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> 
>> To Unsubscribe Send email to:
>> Guardian-dev-unsubscribe at lists.mayfirst.org Or visit:
>> https://lists.mayfirst.org/mailman/options/guardian-dev/natanael.l%40gmail.com
>>
>>
>> 
You are subscribed as: natanael.l at gmail.com

- -- 
Mohamed Akram Tabka
Tech intern at Access | AccessNow.org
Student at the National School of Computer Sciences
PGP ID : 0x82000BEF
PGP FingerPrint : 40DF DB6B D10B 107B 7609 362F 1045 B72D 8200 0BEF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSQ16ZAAoJEBBFty2CAAvv5WsH/3hGIF7vAkg99WctyyAPE+Lo
bQ75Q2mJuVsDSGVYnMPAEdQXAqRf03j1rDW21wXJD2hSYi83lO6ZC9eh8tnPofbL
PkqB0Dr3I2AnYS6mm6mUNEpHMVWFbH+dX1W6nnBFhiRGi4jGEhA3U18Cp7vWLLa5
JwsU9T/ez07/luTE7rtASdQfIOvnziDbZE+i2Y8/OtyQB8MvJcQkr7Y9TzVTebRT
GIrv8LPu46c8iwPGhXJ0++oohRww6eiCPaaIMTvHclkjcEW+PbGZR3YiC1O2S9YG
nKY5IVW2pLRaSPufdE6l3uG1bytlUJQv9VnyMUamVu+ETU3Q4v9nzsA1HJgFHPg=
=wiod
-----END PGP SIGNATURE-----

More information about the Guardian-dev mailing list