webext-signed-pages
Tutanota makes encryption easy
webext-signed-pages | Tutanota makes encryption easy | |
---|---|---|
16 | 467 | |
180 | 5,748 | |
- | 0.6% | |
0.0 | 9.9 | |
over 1 year ago | about 9 hours ago | |
JavaScript | TypeScript | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webext-signed-pages
-
E2EE on the web: is the web that bad?
There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. https://github.com/tasn/webext-signed-pages
-
Cloudflare and CDNs - call for community opinions
EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users.
- Is there any tool to verify client-side website code you get served is the same as the open source version?
-
Truly safe?
There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used.
- A browser that verifies Javascript
-
Security experts declare all Proton apps secure after security audit
> The server can at any time start serving malicious payloads
True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different).
In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers don't natively have a nice way of pinning specific versions of a web app, but there is the clever hack of SecureBookmarks[0] (if you're prepared to sacrifice the UX), or, more realistically, you can pin the web app version using some sort of browser extension.
Examples of the latter include the Signed Pages extension[1], and Code Verify[2], which is the result of a collaboration between Meta and Cloudflare (for securing the WhatsApp Web code, currently, but should eventually support other sites like Proton's too). Of course, it would be much better if this capability was natively included in browsers themselves, but hopefully adoption of this technology will pressure browsers and standards bodies to take ownership of this.
[0] https://coins.github.io/secure-bookmark/
[1] https://github.com/tasn/webext-signed-pages
[2] https://github.com/facebookincubator/meta-code-verify
-
ProtonMail Is Inherently Insecure, Your Emails Are Likely Compromised
Something like a browser extension for this does already exist, fortunately:
https://github.com/tasn/webext-signed-pages
-
"Were you able to subpoena ProtonMail?"
In regards to untrusted webapp, yes, that is a reasonable attack vector. That said, I've heard from ProtonMail they have been considering to implement Signed Pages to help mitigate (at least some of the) issues with this attack vector.
-
Proton’s priorities
Which is why it is important to get proper E2E encryption on e-mail, where the source is open source and can be audited. And then that there are verify mechanisms to verify that the source code has not been manipulated. For web services there are signed-pages which is quite interesting.
Tutanota makes encryption easy
-
Show HN: TutaCrypt, post-quantum encryption protocols for securing emails [pdf]
Hi HN, we are the developers from Tuta (formerly Tutanota), the German end-to-end encrypted email provider, and we recently released the world's first post-quantum encryption for email.
We have included a full technical write-up of the cryptography involved in these changes and we have released it for open public review.
This document specifies TutaCrypt, a protocol designed for hybrid email encryption in Tuta Mail. The protocol combines a classical Elliptic-Curve-Diffie-Hellman key exchange with a post-quantum KEM. The goal is to replace the usage of RSA in Tuta Mail.
In the remainder of this document we describe some preliminaries such as the cryptographic primitives used. We define the core algorithms of the protocol and describe the flow of messages between the communicating parties. Finally, we discuss the security properties and some limitations of the protocol in its current form.
We are eager for your constructive feedback. All cryptography related source code is available for review and experimenting here: https://github.com/tutao/tutanota/blob/master/src/api/worker...
If you have any questions or comments related to post-quantum cryptography please let us know in the comments!
- How to Escape Gmail
-
A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev
Tutanota - Free secure email account service provider with built-in end-to-end encryption, no ads, no tracking. Free 1GB storage. Which is also partially open source, so you can self-host.
-
secret storage
You are probably using a window manager and Electron is not able to detect the secret service backend you have installed. We recently switched to Electron’s built in api for storing credentials, which is the reason for this issue. https://github.com/tutao/tutanota/issues/6265
-
⟳ 4 apps added, 32 updated at f-droid.org
Tuta Mail (version 3.119.3): Encrypted email & calendar service - easy to use, secure by design.
-
Please move away from Amazon for Tuta's Domain Name System
A look at tuta.com and tutanota.com demonstrates that Tuta is using an Amazon Start of Authority (SOA) DNS record and 4 corresponding Amazon Name Server (NS) DNS records.
-
Apple and Google Monitor Notifications. We Need Push Notification Alternatives
rich coming from tuta who still lack a onion based login. this ticket from 2018 was locked as off-topic. https://github.com/tutao/tutanota/issues/528
as lenin said, the best way to control the opposition is to lead it. for me, unless the company has been raided by the government they simply cannot be trusted.
apple proudly advertises privacy billboards while sharing everything they are asked under shadow laws. absolute hypocrisy and double standards. but then they wouldnt be where they are without government money and favours.
-
Change current email from Tutanota to tuta
Have a non business paid account. Can you change your current tutanota.com email to the tuta.com email?
-
Unable to access account
I have an at tutanota.com account. All of a sudden, this evening, it disconnected and I haven't been able to re-access my account. It actually seems like the whole platform is down, but maybe that's just the context from my devices.
-
Migration is needed for which domains?
I have a fairly recent free account that I believe was on the domain tutanota.com which I can no longer log into.
What are some alternatives?
photos-app - ➡️ Moved to https://github.com/ente-io/ente
SimpleLogin - The SimpleLogin back-end and web app
mailvelope - Browser extension for OpenPGP encryption with Webmail
AnonAddy - Anonymous email forwarding
frame - System-wide Web3 for macOS, Windows and Linux
ProtonMail Web Client - Monorepo hosting the proton web clients
pacman-bintrans - Experimental binary transparency for pacman with sigstore and rekor
duckduckgo-locales - Translation files for <a href="https://duckduckgo.com"> </a>
leCrypt-web-extension - leCrypt is a decentralised password manager which is cross-platform, free and secure.
Mailcow - mailcow: dockerized - 🐮 + 🐋 = 💕
proton-mail - React web application to manage ProtonMail
Disposable Mailbox