Security audit and release v0.6

By Thomas Oberndörfer - April 9, 2013

Mailvelope v0.6 is released today with a major redesign focusing on security. An audit done by Cure53 started end of December 2012 and evaluated Mailvelope’s security implementation and its security design aspects. In the course of two months we worked together with Cure53 on new concepts to prevent any form of leak of sensitive user data and at the same time do not degrade the user experience. The complete penetration report may be reviewed here.

Highlights of this new release include:

  • Mailvelope comes now with an external editor to compose mails. The process to write and encrypt mails is thereby completely isolated from the mail provider.
  • A security token is displayed on all dialog windows, allowing to clearly identify the origin of the dialog.
  • Two options to displays decrypted messages: on the mail provider page or in a separate popup.
  • Passwords for private keys can be cached in memory which accelerates the decryption process.

See also the security section in the documentation for more details.

We would like to thank the Open Technology Fund (RFA) for sponsoring the security audit. Without this funding the optimizations in the new release of Mailvelope would not have been possible. Thanks go also to Mario Heiderich and Krzysztof Kotowicz from Cure53 for their contributions.