集成OpenPGP加密的邮件应用:Whiteout Mail

jopen 10年前

icon-128.png
Whiteout Mail是一个易于使用的邮件客户端,集成了OpenPGP加密,采用纯JavaScript开发。

隐私和安全

这个客户端非常重视数据的私密性。下面是一些技术细节:

  • Messages are encrypted end-to-end using the OpenPGP standard. This means that only you and the recipient can read your mail. Your messages and private PGP key are stored only on your computer (in IndexedDB).

  • Users have the option to use encrypted private key sync if they want to use Whiteout on multiple devices.

  • Content Security Policy (CSP) is enforced to prevent injection attacks.

  • HTML mails are sanitized with DOMPurify and are rendered in a sandboxed iframe.

  • Displaying mail images is optional and opt-in by default.

  • Like most native email clients, whiteout mail uses raw TCP sockets to communicate directly with your mail server via IMAP/SMTP. TLS is used to protect your password and message data in transit.

  • The app is deployed as a signed Chrome Packaged App with auditable static versions in order to prevent problems with host-based security.

  • The app can also be used from any modern web browser in environments where installing an app is not possible (e.g. a locked down corporate desktop). The IMAP/SMTP TLS sessions are still terminated in the user's browser using JS crypto (Forge), but the encrypted TLS payload is proxied via socket.io, due to the lack of raw sockets in the browser. Please keep in mind that this mode of operation is not as secure as using the signed packaged app, since users must trust the webserver to deliver the correct code. This mode will still protect user against passive attacks like wiretapping (since PGP and TLS are still applied in the user's browser), but not against active attacks from the webserver. So it's best to decide which threat model applies to you.

第三方库

  • OpenPGP.js (LGPL license): 在Javascript中的一个 OpenPGP 实现
  • email.js (MIT license): IMAP, SMTP, MIME-构建和MIME-解析引擎
  • Forge (BSD license): 在Javascript中的一个 TLS 实现

集成OpenPGP加密的邮件应用:Whiteout Mail


项目主页:http://www.open-open.com/lib/view/home/1414373849215