Allow to store keys on the server side #88
Comments
|
No. |
|
Hi I'd be very interested in this feature too. Could you explain why it's been labelled "Won't fix"? Is there a fundamental problem with this approach, or does it not fit your desires for the software? Cheers Robin |
|
Because it would defeat the entire purpose of the plugin and because I refuse to build backdoors. The entire purpose is that only the sender and intended recipient can access content and your "feature" request defeats that purpose. If you want to store your keys on the server then either 1) don't use encryption or 2) email them to yourself. It would be blasphemous to allow this. If you want insecure encryption then don't use encryption. |
|
If I control the server (let's say for the purpose of argument said server is in the front room of my house, the storage is encrypted and only I have keys to access it via ssh), then only I and the intended recipient can access the content, no-one else has access to it. I'm not after a back door, I'm looking for a way to access my email and my private key from any web-facing server. Storing them in the browser would cause problems there, as I can only use a browser which the key is loaded into. |
|
And what about all the users that don't host their own server, fuck em right? Feel free to write your own server side key storage, I won't do it because it significantly decreases otherwise provided security on all levels and such functionality does not belong in secure software. This is security oriented software and what you are describing is not in line with security, it's in line with you being lazy. |
|
You might find the Enigma plugin to be better for your use case, it does everything on the server for you. https://github.com/roundcube/roundcubemail/tree/master/plugins/enigma |
|
That's a slightly redundant suggestion, having the option doesn't mean the users who host their email on someone else's server have to use server-side storage. Keeping it out of their hands to protect them sounds rather patriarchal. Thanks, I've seen Enigma. It's not maintained, whereas what you're doing is actively supported. By the way, there's no need to be so aggressive or label me. I asked a question, i.e. why you decided not to do something. Some people would take it as a compliment that they are being asked, it suggests the person asking has some respect for their knowledge. I'm not sure what's such a problem with that. |
|
Most are using web mail (Roundcube) to access their mails from anywhere (not from home), I guess. But is it secure to store my private keys on a computer/browser that I don't own (at work or even in an Internet Cafe)? |
|
Sidamos, the other way is either import your keys then delete them afterwards, or carry a USB drive (encrypted of course) with Portable Firefox on it. The first is clumsy and sounds prone to mistakes, the second causes problems when you're in environments when USB drives are not allowed, like my work place, or on locked-down computers which will not allow arbitrary executables to be run. There are flaws with all the approaches as far as I can see. |
|
Having the option gives people the illusion that such storage is OK, and it's not. I'm not aggressive, I'm telling you how it is. You already have the option of emailing your own keys to yourself, I really don't see the problem here. Of course it's not secure to store your private keys on a computer that you don't own, don't do that. If you do that you have nobody but yourself to blame, if I build your feature request you can blame me for enabling you to be insecure. I won't do that. Of course storing private keys in the browser is a bad idea to begin with, that's the entire reason why #64 and pygpghttpd (https://github.com/qnrq/pygpghttpd) exists. |
|
Although pygpghttpd sounds interesting, it would even more likely be not usable on a computer I don't own (work, Internet Cafe). |
|
The reason why I'm so anti this is because it defeats everything that the software is being written for. I want to make it easy for people to be secure, not easier to be insecure. There are many more elements to the cryptography audience than people sitting comfortably in Western countries without their own hosted email. There are political activists and everyday people being harrassed for what they say, to whom they say it and what they think. The world is much larger and grows beyond Western comfort. It's a price worth to pay that you have to walk extra miles to be insecure in order to assure that people living in for example oppressive Asian or Middle Eastern countries. You might not consider yourself a target and if your private communication is exposed perhaps it's not the end of the world, but for many people it is. Because in many cases their lives are on the line their requirements should be prioritized much higher. This is not just any "protect your shopping list with your homemade caesar cipher" software. Yes, I am greatly bound by my personal objectives and agendas. But I also live in the oppression. I live in a communistic dictatorship. I see journalists being murdered for investigating the wrong things. I see people being beat up for voting for the wrong party. I see radio station owners being locked up for airing the opinions of their listeners. But even when setting my personal beliefs and opinions aside for the sake of objectivity this feature request still defeats the purpose of the plugin. I by no means intend to sound aggressive or somehow labeling you. I intend to satisfy my users with the base foundation of cryptography: only the sender and intended recipient of each message should be enabled to access data. For the same purpose I denied the official Roundcube developer's request to do decryption on the server to "gain performance". I don't agree with you when you, and others, say that it's a good idea to throw security out of the window to gain performance or mobility. Performance and mobility can be achieved through other existing mediums and by forbidding such code in this repo it's assured that lives will not be put on the line because comfortists decided to sacrifice other people's security. |
|
Actually pygpghttpd is entirely portable when placed on a USB stick. Even on Windows it doesn't require a full GnuPG installation but only an exe and dll inclusion in the directory. pygpghttpd can be compiled to a Windows binary. It is portable and that was part of the intention when I selected its dependencies. |
|
Reading the above discussion I think it might be a good idea to add a 'Usage' section to the readme with some example workflows ("best practices") and/or refer to some relevant articles about handling your keys. |
|
lazlo: Agree, but I think until the pygpghttpd driver exists there's no point. At this stage even the security offered isn't top notch, at least it's equally bad as any other JS crypto. |
I use web mail to access my mails from everywhere. But I don't want (or sometimes can't) install my keys on every client. So, it would be much better for me to have them stored on the server.
The text was updated successfully, but these errors were encountered: