[NBLUG/talk] [SM-PLUGINS] G/PGP Encryption Plugin for Squirrelmail - v 1.0.1 released

ME dugan at passwall.com
Wed Mar 5 20:51:01 PST 2003


Some of you use SquirrelMail, and have wanted a gpg plugin for it. It
looks like work has started on one.

I have not tried it, but some words of warning for it:

Use of just a "verify key" by using a public key from a server may be
tolerable when it comes to security, but use of encryption with such a
plugin should be treated much like ssh - only encrypt on a machine, from
which you are using the web browser, that you trust *to* a machine that
you trust.

Just like ssh, you would not want to ssh from a public machine or ISP's
shell server, or a machine that you do not fully trust to a trusted
machine - you should not encrypt with gpg through a web browser, from a
machine that you do not trust.

Even so, how much do you trust your web browser (even on a trusted
machine) to not leave a cache file sitting around with form submission
data?

Though I may play with this plugin and/or offer it to my SM users, I will
not likely use the encrypt/decrypt features if/when they are available.
Even signing my own e-mail messages would require me to enter a
passphrase, so that seems unlikely too.

Similar risks also exist on the server. If the server is taken over, or
you dont trust the admin, there is risk for trojaing to steal your
passphrase for encryption/signing.

Anyway, I know a few people who are willing to accept these risks, and use
only machines they trust to use servers they trust since they admin both.
I pass this information as an information service, not as as suggestion to
use it.

-ME


---------------------------- Original Message ----------------------------
Subject: [SM-PLUGINS] G/PGP Encryption Plugin for Squirrelmail - v 1.0.1
released From:    "Brian G. Peterson" <brian at braverock.com>
Date:    Wed, March 5, 2003 4:18 pm
To:      squirrelmail-plugins at lists.sourceforge.net
--------------------------------------------------------------------------
Turning off decryption introduced some regression errors.  These have been
fixed and the plugin has been updated to v 1.0.1.  Thanks to everyone who
let us know about minor issues.

---snip---
We have created a gpg encryption plugin for Squirrelmail.

For now, I have disabled all decryption and private key functions, as
these are not stable.

The plugin has been tested by multiple users (there are over 50 users on
the development server)

Full Details are in the README.txt file.

This is a general purpose encryption plugin for Squirrelmail.

Features:
	- Key import from keyring or ASCII armor file
	- key search and import from keyservers
	- encrypt from Compose
	- system keyring for use on corporate mail servers
	- configurable trusted_key field
	- general options on how the plugin works

I have created a web page that has the plugin tarball and README file at:
http://braverock.com/gpg/

There is also a plugin development list:
	gpg at braverock.com

Interested parties may join by sending a message to
gpg-request at braverock.com with a body of subscribe.  We are always
interested in bug-fixes, contributions, help with testing, etc.

Regards,

	- Brian
	  brian at braverock.com




-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The
debugger  for complex code. Debugging C/C++ programs can leave you feeling
lost and  disoriented. TotalView can help you find your way. Available on
major UNIX  and Linux platforms. Try it free. www.etnus.com
--
squirrelmail-plugins mailing list
List Address: squirrelmail-plugins at lists.sourceforge.net
List Info:
https://lists.sourceforge.net/lists/listinfo/squirrelmail-plugins
http://squirrelmail.org/cvs






More information about the talk mailing list