Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

PGP/MIME #41

Open
alberto743 opened this Issue Apr 9, 2013 · 31 comments

Comments

Projects
None yet

Is there a plan to support PGP/MIME (sign&encrypt), including with attachments?

zyphlar commented Apr 13, 2013

This is likely to be a wishlist item for a long time because currently Mailvelope just scrapes the text visible on-screen, it doesn't open or add attachments. In order to really do this, we'd have to work with some kind of Gmail API, hack together something really ugly, or write our own mail client ;)

You just need to download the raw message source, and then process it.
It may be even simpler than going around the displayed text, given that
you can wrap around the additional request to the Google server through the
web interface.
Actually PGP/MIME is to be preferred over PGP/Inline, because the e-mail
clients that doesn't support the OpenPGP standard just see a text
attachment with the signature, and not the text altered (see for example
the raw message source produced by Thunderbird in the two cases with the
Enigmail extension).
Also, having a webmail support for OpenPGP signed&encrypted e-mail is
useful when only the port 80 and 443 are open.

zyphlar commented Apr 13, 2013

You make good points, but consider what we'd need to do to support SENDING
PGP/MIME attachments. Even if we figure out how to hack an auto-attacher
into the browser plugin, there still may be a problem with the mime type of
the attachment.

But if you don't care about SENDING, then I agree this is probably possible.

On Sat, Apr 13, 2013 at 5:47 AM, alberto743 notifications@github.comwrote:

You just need to download the raw message source, and then process it.
It may be even simpler than going around the displayed text, given that
you can wrap around the additional request to the Google server through the
web interface.
Actually PGP/MIME is to be preferred over PGP/Inline, because the e-mail
clients that doesn't support the OpenPGP standard just see a text
attachment with the signature, and not the text altered (see for example
the raw message source produced by Thunderbird in the two cases with the
Enigmail extension).
Also, having a webmail support for OpenPGP signed&encrypted e-mail is
useful when only the port 80 and 443 are open.


Reply to this email directly or view it on GitHubhttps://github.com/toberndo/mailvelope/issues/41#issuecomment-16332510
.

Right, sending is much more difficult.
However you could maybe put the complete PGP/MIME inside the text box.
It might work, but I'm not sure.
Still, you world need to process separately the base64 encoding of the
attachments.
I'm not sure Google world permit that.

In the end you are right, complete send and receive PGP/MIME support is not
going to happen, with attachment support.

You may then think about adding additional attachments for the signature of
the text, and for every other regular attachment.

zyphlar commented Apr 13, 2013

The base64 content boundaries would probably prevent that from working. It
may be possible to hack the form submittal actions to "inject" an
attachment into the message but that would be voodoo-level stuff. I wonder
if any Googlers might be willing to advise, in the name of security/privacy.

On Sat, Apr 13, 2013 at 7:44 AM, alberto743 notifications@github.comwrote:

Right, sending is much more difficult.
However you could maybe put the complete PGP/MIME inside the text box.
It might work, but I'm not sure.
Still, you world need to process separately the base64 encoding of the
attachments.
I'm not sure Google world permit that.

In the end you are right, complete send and receive PGP/MIME support is not
going to happen, with attachment support.

You may then think about adding additional attachments for the signature of
the text, and for every other regular attachment.


Reply to this email directly or view it on GitHubhttps://github.com/toberndo/mailvelope/issues/41#issuecomment-16334260
.

On 13/04/2013 17:08, Will Bradley wrote:

The base64 content boundaries would probably prevent that from working. It
may be possible to hack the form submittal actions to "inject" an
attachment into the message but that would be voodoo-level stuff. I wonder
if any Googlers might be willing to advise, in the name of security/privacy.

I don't think this is a solution, also because Gmail web interface is
not in steady state (look at FireGPG).
In sending we're stuck to PGP/Inline then.
In receiving it might be useful to add PGP/MIME support, just to be able
to read signed&encrypted emails from other people.

Owner

toberndo commented Jul 5, 2013

Some analysis on different encodings:

  1. Content-Type: text/plain
    -> this is of course ok. No problem for Mailvelope
  2. Content-Type: multipart/mixed;
    -> This is a multipart message in MIME format that contains text and html version
    of the encrypted message. Also ok, mail provider will display just one variant.
  3. Content-Type: multipart/encrypted;
    -> Here we have to distinguish two different disposition types:
    3.1. Content-Disposition: inline
    Used e.g. by Enigmail when choosing PGP/MIME format
    Will be displayed inline by Gmail and can therefore be decrypted by Mailvelope
    3.2. Content-Disposition: attachment
    This is how some of the messages from MS Outlook + PGP Desktop look like.
    Will be displayed as attachments by Gmail, no one-click decryption possible for Mailvelope

This is a message from a heavy user of PGP, a QA engineer, and a proponent of personal privacy. Please support PGP/MIME for incoming messages. If the idea is more noise down the line, I think reading PGP/MIME would prompt more users who don't already use PGP because of being attached to Gmail to actually send their mail encrypted (regardless of it being inline or MIME).

I run key signing gatherings from time to time and go out of my way to teach my friends how to properly use Enigmail and Thunderbird with their Gmail accounts. It's a huge 1 - 2 hour pain and once I explain the process about 90% of my friends decide to give up on it due to the hassle of running a 2nd client that could muck up their current Gmail setup. If I could just say, "Here's a plugin for Chrome that'll work with Gmail and allow you to read any encrypted messages addressed to you, and let you send basic encrypted messages back" a lot of folks would buy into that imedietly. For users who most likely wont understand what PGP/MIME is, having them be able to read all (most) messages incoming, and send readable messages outgoing out be a big win.

Please considering implementing PGP/MIME for incoming messages in some form through Gmail. Thanks!

Re: the problem of sending PGP/MIME.
Might not the answer be to copy the approach of Penango (S/MIME GMail wrapper for Firefox/IE)?
That tool stops the web interface from sending the email but redirects the send through the plugin and then uses the Google SMTP server. The effect is that Penango sends status messages to the screen telling you what it's doing while it can send arbitrary attachments with the crypto content.

+1 for PGP/MIME support being very needed. A lot of my friends who I might use crypto with use Mutt which does PGP/MIME by default. I can't actually check the signatures they send with anything on the web.

How about a dialog to encrypt/decrypt a file. You browse the to file, encrypt/decrypt, and then click to download the file. This would allow the user to attach an encrypted file or decrypt an attached file.

xqxq commented Sep 13, 2013

I second supporting some method of decrypting PGP/MIME attachments from within the mailvelope mail plugin

  • users I correspond with use Symantec Desktop encryption which uses PGP/MIME

elijh commented Sep 18, 2013

Even if sending PGP/MIME needs to wait, I think being able to receive PGP/MIME would be really good in the short term. It is becoming more and more common for people to use PGP/MIME.

aaren commented Oct 8, 2013

I can see that encrypting to PGP/MIME would be difficult. Decrypting would be
really great though.

Use case

I use mutt with gpg. I am communicating with someone using mailvelope and
gmail. I can decrypt and display their inline pgp messages, but they have to
use another tool to decrypt the PGP attachment. This is annoying for them.

I can work around this by having mutt send pgp as inline, but this doesn't seem
to be the proper way of doing it as it is mutt that is following the standards.

Relevant standards

  • RFC 2015 - MIME Security with Pretty Good Privacy (PGP)
  • RFC 3156 - MIME Security with OpenPGP

There appears to be another problem: independent of what formatting is chosen for the to-be-encrypted plain text, if your gmail is set to html, then it will always send the ASCII armored encryption block in a plain text portion and html portion of the email, upsetting clients such as Thunderbird/Enigmail. It appears to be an Enigmail bug though, and I posted it there: https://sourceforge.net/p/enigmail/bugs/218/

Generally, I agree that PGP/MIME functionality would be great.

Owner

toberndo commented Nov 28, 2013

@christophdankert Thanks for analyzing this. I agree it should be fixed on Enigmail side.

da2ce7 commented Jan 17, 2014

PGP/MIME should be supported for incoming mail. However outgoing mail it isn't as important.

Owner

toberndo commented Jun 17, 2014

MIME messages are now parsed after decryption in v0.9.0.
text/plain and text/html supported. Attachments not yet.

Now that GMail has a REST API maybe the PGP/MIME support can be improved?
I think PGP/MIME is how encrypted mail should be done and it'd be a huge bonus if Mailvelope properly supported it.

bnvk commented Oct 14, 2014

Just chiming in from a UX perspective re: the work I've been doing on @mailpile + working with the data from both Inline vs. PGP/MIME. The later option makes the conditions for a far superior interface that stands a much better chance of doing the following:

  • Accurately communicating the status & integrity of messages
  • Minimizing clutter and cognitive load of UI
  • Thus increasing potential for user understanding

Thank you for adding some support for incoming PGP/MIME messages. Any chance there'll be love for out going messages too? This is now the only thing stopping me from dropping Thunderbird.

mdik commented Mar 13, 2015

@rubin110 what do you mean by "Thank you for adding some support for incoming PGP/MIME messages."? I don't see it (,yet?), but I also would be very happy if Mailvelope would follow the attachment links to be able to decrypt PGP/MIME messages!

As there is no way to read an PGP/MIME attachment I propose adding a file encryption/decryption support to Mailvelope. That way we can still decide to make our own attachements for sending and receive PGP/MIME attachments without relying on a different keystore.

mdik commented Mar 18, 2015

How is there no way to read a PGP/MIME attachment? Aren't they just links you can pull the contents from?

I am referring to the current support in Mailvelope.

Sigmun commented Jan 5, 2016

One up for reading or opening PGP/MIME.

👍 I agree that PGP/MIME functionality would be great.

Are you already using this: https://www.inboxsdk.com/ ?
Or maybe it doesn't help, or is totally irrelevant (excuse me for my ignorance).

My e-mail provider mail.de offers automatic encryption of incoming (not end-to-end encrypted) mails - but I cannot open them in the webmailer because of missing PGP/MIME support in mailvelope - so this feature would be great for me as well :-)

Owner

toberndo commented Jan 15, 2016

@paulmering Mailvelope supports already reading PGP/MIME if the PGP armored block is displayed in the mail body (or a preview window).

👍 Would love to see a quiet option so I can sign my emails always instead of only to people from who I know that they're using PGP.
For non-PGP users those emails seems odd.

woj-tek commented Jun 5, 2016

@toberndo could you expound of that? I've tried that with opening signature attachment withing gmail but nothing happened.

If would be great if it could work!

PGP/MIME signatures come as attachments, and Mailvelope does not recognise them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment