email.js

[tanx]

In case you're interested in collaborating on IMAP/JS, perhaps there is some way to share code:

http://emailjs.org

[hiddentao]

That's interesting, and I've come across WhiteoutMail before. I'm actually working on autonomail - it's still a work in progress. I'm going for a REST protocol and a custom back-end server but do eventually hope to add IMAP support to the client for general use. I have PGP keygen and encryption/signing working. Hope to split these into independent projects soon - then perhaps we can add them to your list if you'd be up for it :)

[tanx]

Cool! Perhaps we can share code on more levels then. Here's an overview of our architecture: https://whiteout.io/technology.html

I have PGP keygen and encryption/signing working. Hope to split these into independent projects soon - then perhaps we can add them to your list if you'd be up for it :)

Have you heard of OpenPGP.js or do you implement your own PGP? https://github.com/openpgpjs/openpgpjs/

Also, here's the security audit report: https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit

[tanx]

Also, if I may... your TLS implementation is susceptible to Man in the Middle attacks: https://github.com/hiddentao/browsermail/blob/master/src/js/node-polyfills/tls.js#L36

I know it's a pain since chrome.socket doesn't support native TLS yet, but you should do certificate pinning for supported mail providers in the meantime. Here's how we do it for our tcp-socket shim: https://github.com/whiteout-io/tcp-socket/blob/master/src/tcp-socket.js#L161

[hiddentao]

I don't use OpenPGP.js. Instead I'm trying out an Asm.js port of GPG2 (see https://github.com/manuels/unix-toolbox.js-gnupg). I run it in a web worker and then simply save the virtual filesystem as the user's private data. If I can make this work all the way I think it's better than using OpenPGP.js as it's a mature, well-tested codebase which already implements the full PGP spec.

Looking at your technology page it seems we're both aiming for a similar overall structure (Cordova/Chrome app/etc.).

Thanks for the TLS tip. Yeah I hacked that thing together quite quickly! so I'm not surprised. For Autonomail I'm actually aiming to provide a full mail service so my back-end will be handle all of that for me.

[hiddentao]

If you're interested here is my GPG interface.

[tanx]

I don't use OpenPGP.js. Instead I'm trying out an Asm.js port of GPG2 (see https://github.com/manuels/unix-toolbox.js-gnupg). I run it in a web worker and then simply save the virtual filesystem as the user's private data. If I can make this work all the way I think it's better than using OpenPGP.js as it's a mature, well-tested codebase which already implements the full PGP spec.

I'll let Matthew Green comment on the codebase of GPG: https://twitter.com/matthew_d_green/statuses/461999229305880576

Although I agree that OpenPGP.js is still quite young and not as feature complete as GPG, it has good unit test coverage and the code quality is gotten much better in the last few months. So it may also be worth another look.

[tanx]

If you're interested here is my GPG interface.

Thanks! I'll take a look. Although the asm.js port also seems to be quite "alpha" atm as well: http://manuels.github.io/unix-toolbox.js-gnupg/

[hiddentao]

Hah, I guess I should have expected that by now. Having said that, Enigmail and the various other OpenPGP tools people use all use libgcrypt underneath the hood so it can't be a total disaster.

The ASM port is pretty alpha, but all the functionality I've tried so far works well. It's exactly like running GPG2 on the command-line.

Given your recommendation I'm open to giving OpenPGP another go. I think a performance comparison would be particularly interesting.

[tanx]

I think a performance comparison would be particularly interesting.

Definitely. If you have any findings, I would be interested as well.

Also a note on performance, we will integrate the W3C web crypto apis into OpenPGP.js soon. So at least all the crypto primitives should be native and fast. This should make for a more maintainable AND performance optimized library.

[hiddentao]

Also a note on performance, we will integrate the W3C web crypto apis into OpenPGP.js soon. So at least all the crypto primitives should be native and fast. This should make for a more maintainable AND performance optimized library.

That sounds really great. Looking forward to it.