Security

Thomas Oberndörfer edited this page Apr 16, 2018 · 6 revisions

Security Audits

  • Feb. 2017: Security Audit of Mailvelope by Cure53 (Posteo)
  • Dec. 2015: Security Audit of Mailvelope by Cure53 (1und1)
  • Jul. 2015: Security Audit of Mailvelope API by Cure53 (1und1)
  • Dec. 2014: Security Audit of Mailvelope API by Cure53 (1und1)
  • Oct. 2014: Pentest Mailvelope integrated editor by Cure53 (1und1)
  • May 2014: Penetration test of Firefox add-on by iSECpartners (OTF)
  • Feb. 2014: Security audit of OpenPGP.js by Cure53 (OTF)
  • Feb. 2013: Penetration test of Chrome extension by Cure53 (OTF)

Fixed vulnerabilities

  • XSS via HTML file download link. (fixed in Mailvelope v1.3.2) Detailed analysis
  • Bug in S2K allows decryption of malformed private key backup messages. (fixed in Mailvelope v1.2.0) Detailed analysis
  • Integrated documentation page can access privileged API. (fixed in Mailvelope v0.11.0) Detailed analysis
  • EME PKCS1 v1_5 padding bug in OpenPGP.js. (fixed in Mailvelope v0.8.0) Detailed analysis and blog post.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.