[RCD] Status of S/MIME and PGP support

Markus Wernig markus at wernig.net
Sun Dec 1 14:20:24 CET 2013


On Sat Nov 30 13:00:45 CET 2013, Thomas Bruederli wrote:

> But in terms of architecture, a purely client-side
> encryption/decryption is the preferred and most secure way.

OK, this depends on which side of the cryptosystem you assume to be more
trustworthy: the server or your browser runtime. Especially javascript
has some major drawbacks when it comes to crypto (just think XSS). See
eg. here for a discussion:
http://www.matasano.com/articles/javascript-cryptography/

A S/MIME browser plugin would definitely be the way to go, security-wise.

Unfortunately, this is a nightmare maintenance-wise ... and also would
take considerably more time (which is, as always, the limiting factor).

So I'd rather stick with a server-side approach, even if it would not
make it into an official release.

Kind regards
/markus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20131201/63fb86a7/attachment.p7s>


More information about the dev mailing list