Delivery-Date: Thu, 21 May 2015 15:03:39 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 901171E0A41
	for <archiver@seul.org>; Thu, 21 May 2015 15:03:37 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 0754A35850;
	Thu, 21 May 2015 19:03:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D058435847
 for <tor-talk@lists.torproject.org>; Thu, 21 May 2015 19:03:30 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 3L-LUkItogjP for <tor-talk@lists.torproject.org>;
 Thu, 21 May 2015 19:03:30 +0000 (UTC)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by eugeni.torproject.org (Postfix) with ESMTP id A4EA135741
 for <tor-talk@lists.torproject.org>; Thu, 21 May 2015 19:03:30 +0000 (UTC)
Received: from yuri.doctorlan.com (c-50-184-63-128.hsd1.ca.comcast.net
 [50.184.63.128]) (authenticated bits=0)
 by shell1.rawbw.com (8.14.9/8.14.9) with ESMTP id t4LJ3QDx043176
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <tor-talk@lists.torproject.org>; Thu, 21 May 2015 12:03:27 -0700 (PDT)
 (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-50-184-63-128.hsd1.ca.comcast.net [50.184.63.128] claimed to be
 yuri.doctorlan.com
Message-ID: <555E2BFC.6000709@rawbw.com>
Date: Thu, 21 May 2015 12:03:24 -0700
From: Yuri <yuri@rawbw.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <CAD2Ti2-qdymrnM-nHqP2sVBYP=notY6sW54dQ1to-KTbkTEY4A@mail.gmail.com>
In-Reply-To: <CAD2Ti2-qdymrnM-nHqP2sVBYP=notY6sW54dQ1to-KTbkTEY4A@mail.gmail.com>
Subject: Re: [tor-talk] Mailpile SMTorP [ref: nexgen P2P email]
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 05/21/2015 00:41, grarpamp wrote:
> This eliminates the fact that all these new centralised OpenPGP
> webmail providers will have access to your keys/cleartext, because
> either:
> A) it resides there
> B) the malware they give you to run in your browser gives it away.

On one hand, Mailpile is after security, which is great. But on the 
other hand they use node which doesn't sign packages, therefore being 
vulnerable to MITM attacks. I think, node js is either fundamentally 
opposed to signing, or wants to bundle it with their commercial version, 
or something like that. With this trade-off (convenience of node vs 
security), Mailpile certainly doesn't look like as secure as such system 
could be.

Node js also has the insecure command that downloads code direct from 
github. So if some github project gets hijacked or bought out, guess 
what will happen?

Yuri
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

