1
0
mirror of https://github.com/moparisthebest/mail synced 2024-12-24 16:28:49 -05:00

update security in readme

This commit is contained in:
Tankred Hase 2014-01-16 12:06:38 +01:00
parent a9efd1705b
commit 607254bc2e

View File

@ -6,8 +6,8 @@ Whiteout Mail is an easy to use email client with integrated OpenPGP encryption
### Privacy and Security ### Privacy and Security
* We take the privacy of your data very seriously. Messages are [encrypted end-to-end ](http://en.wikipedia.org/wiki/End-to-end_encryption) using the [OpenPGP](http://en.wikipedia.org/wiki/Pretty_Good_Privacy) protocol. This means that only you and your correspondents can read your mail. * We take the privacy of your data very seriously. Messages are [encrypted end-to-end ](http://en.wikipedia.org/wiki/End-to-end_encryption) using the [OpenPGP](http://en.wikipedia.org/wiki/Pretty_Good_Privacy) protocol. This means that only you and your correspondents can read your mail.
* The client talks directly via IMAP/SMTP to your mail server. Your data and private PGP key are stored encrypted on your computer and are never sent to our our servers. * The client talks directly via IMAP/SMTP to your mail server. Your messages and private PGP key are stored encrypted on your computer and are never sent to our our servers.
* Mail server SSL certificates are pinned under [`src/ca/`](https://github.com/whiteout-io/mail-html5/tree/master/src/ca) in order to protect against SSL stripping and other man in the middle attacks. * Mail server [SSL certificates are pinned](http://security.stackexchange.com/questions/29988/what-is-certificate-pinning) under [`src/ca/`](https://github.com/whiteout-io/mail-html5/tree/master/src/ca) in order to protect against SSL stripping and other man in the middle attacks.
* The app is deployed as an auditable [Chrome Packaged App](https://developer.chrome.com/apps/about_apps.html) with static versions in order to prevent [problems with host-based security](http://tonyarcieri.com/whats-wrong-with-webcrypto). It uses raw [TCP sockets](http://developer.chrome.com/apps/socket.html) to communicate with the mail server. * The app is deployed as an auditable [Chrome Packaged App](https://developer.chrome.com/apps/about_apps.html) with static versions in order to prevent [problems with host-based security](http://tonyarcieri.com/whats-wrong-with-webcrypto). It uses raw [TCP sockets](http://developer.chrome.com/apps/socket.html) to communicate with the mail server.
* [Content Securit Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) is enforced to prevent against injection attacks. * [Content Securit Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) is enforced to prevent against injection attacks.
* The code is still under heavy development and is not yet recommended for production use. That being said, we have done multiple code audits and penetration tests (which will be published regularly once all reported vulnerabilities are fixed). * The code is still under heavy development and is not yet recommended for production use. That being said, we have done multiple code audits and penetration tests (which will be published regularly once all reported vulnerabilities are fixed).