rc_openpgpjs: Ending seven years of Roundcube insecurity

Roundcube is a popular open source IMAP webmail application. Roundcube is used by Harvard University, UC Berkeley and University of Michigan. Apple Mac OS X 10.7 uses Roundcube per default in its Mail Server. While writing this a lazy Google dork estimates 133 000 public Roundcube installations.

PGP support was first requested seven years ago and set critical six years ago. PGP support has been requested actively ever since. One of the core developers began the development of his PHP implementation, the Enigma plugin, two years ago but the plugin has not been made functional yet.

Today I am proud to release a beta version of my Roundcube plugin that implements PGP using the OpenPGP.js (based on GPG4Browsers) JavaScript library. rc_openpgpjs enables OpenPGP to function in the user’s browser so that fundamental key storage security isn’t immediately broken by design, in opposite to the official Enigma plugin.

At its current beta stage; rc_openpgpjs is able to generate an encryption key pair, save it in HTML5 web storage (in your own browser, guys) and perform encryption and decryption of email. rc_openpgpjs works in any modern browser that can parse HTML5 and supports the window.crypto object. Unfortunately this is limited to Google Chrome today, but Mozilla is struggling working on it.

rc_openpgpjs is available on Github. rc_openpgpjs will become stable as soon as some small glitches have been corrected. It has been written for Roundcube 0.8.4 with the Larry skin.

8 Responses to “rc_openpgpjs: Ending seven years of Roundcube insecurity”

  1. Alex Says:

    Very nice! Would you mind sending us a logo and link that we can publish at http://openpgpjs.org? We would like to list projects that are using our library…

  2. qnrq Says:

    Replied on the mailing list :-)

  3. Greg Says:

    This is great, and I’ve installed it, but it doesn’t have the functionality that’s shown/mentioned. There is no encrypt/sign button. And when I click the sign image, it prompts me for the users key I’m sending to, instead of my key. There’s also no way to encrypt from what I see.

    Is this still actively being worked on?

  4. Bruce Says:

    Thank you for this!

  5. Bruce Says:

    Are there any plans to deal with attachments in the future? IE to be able to open attachments from within roundcube?

  6. Rafael Says:

    I can’t get it working.

  7. Rafael Says:

    its working now, my mistake, thanks.

  8. isithran Says:

    Is there a way to support smart cards for secure key storage in your implementation? (e.g. OpenPGP smart card, or #PKCS11/#PKCS15 compliant modules)

Leave a Reply

Leave a Reply

Your email address will not be published.