Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add ghostmail #33

Closed
elijh opened this issue Nov 2, 2015 · 3 comments
Closed

add ghostmail #33

elijh opened this issue Nov 2, 2015 · 3 comments

Comments

@elijh
Copy link
Contributor

elijh commented Nov 2, 2015

https://www.ghostmail.com

@taoeffect
Copy link

The problem with "secure email" providers like ProtonMail (and GhostMail), is that they are "end-to-end encrypted-kinda-sorta-not-really".

Problem 1 - Your private key is not yours

  • Their server sends you the javascript that creates your private key.
  • Their javascript can send your private key back to their server.

They say it "stays in your browser", but they cannot guarantee that. There are multiple scenarios where your private key would leave your browser and get sent to their server:

  1. They decide to make their JS do that.
  2. They get ordered to do it.
  3. HTTPS is MITM'd using a rogue cert and you are sent malicious JS that sends your key.

Problem 2 - Your friend's public key is not theirs

Their server sends you the public key for your friend. How do you know it's actually your friend's and not theirs?

You don't.

Neither GhostMail nor ProtonMail belong on this list.

@taoeffect
Copy link

Also, this is nonsense (from here):

A new randomly generated 256 bit AES key is used to encrypt actual message (Forward Secrecy).
The AES Key is then encrypted with the recipient’s public RSA key.

No. That is not forward secrecy.

Stay away from all of this nonsense folks. If you want GPG, use GPGTools, Enigmail, or Mailvelope.

@elijh
Copy link
Contributor Author

elijh commented Nov 2, 2015

yes, i agree that ghostmail is snakeoil, but i try to document the snakeoil projects too and highlight what is wrong with them.

@elijh elijh closed this as completed in 86db8bb Jan 21, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants