This repository has been archived by the owner on Jul 10, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity.html
159 lines (142 loc) · 6.18 KB
/
security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Security and Privacy | Whiteout Networks</title>
<meta name="description" content="Encryption for the rest of us.">
<meta name="copyright" content="Copyright (c) 2016 Whiteout Networks GmbH i. L.">
<meta name="keywords" content="whiteout, end to end encryption, encrypted cloud email, mail, secure file sharing, securely share files, open source, privacy, security, client side encryption, pgp, gpg, openpgp, html5">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<meta name="viewport" content="width=device-width">
<meta name="robots" content="index,follow,noodp">
<!-- link to chrome web store for inline installation -->
<link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/jjgghafhamholjigjoghcfcekhkonijg">
<link href="css/all.css" rel="stylesheet" type="text/css">
<script src="js/modernizr.js"></script>
<meta name="theme-color" content="#189dcd">
<link rel="shortcut icon" href="favicon.ico">
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-52535674-1', 'auto');
ga('send', 'pageview');
</script>
</head>
<body id="top">
<div class="wp">
<header class="header header--sticky">
<nav>
<ul>
<li><a href="https://github.com/whiteout-io/mail" target="_blank">Github</a></li>
<li><a href="https://blog.whiteout.io" target="_blank">Blog</a></li>
</ul>
</nav>
<a href="/">
<img class="header__logo" src="img/whiteout_logo_white.svg" alt="whiteout.io">
</a>
<button type="button" class="header__navicon">
<svg>
<use xlink:href="icons/all.svg#navicon" />
<title>Open Menu</title>
</svg>
</button>
</header>
<div class="header-placeholder"></div>
<section class="container">
<p>
<a href="/">‹ back</a>
</p>
<h1>Security and Privacy</h1>
<p>We take the privacy of your data very seriously. Here are some of the technical details:</p>
<div class="security-listing">
<div class="security-listing__entry">
<p>
Messages are <strong>encrypted end-to-end</strong> using the <strong>OpenPGP</strong> standard. This means that only you and the recipient can read your mail. Your messages and private PGP key are stored only on your computer (in IndexedDB).
</p>
</div>
<div class="security-listing__entry">
<p>
Users have the option to use <strong>encrypted private key</strong> sync if they want to use Whiteout on multiple devices.
</p>
</div>
<div class="security-listing__entry">
<p>
<strong>Content Security Policy (CSP)</strong> is enforced to prevent injection attacks.
</p>
</div>
<div class="security-listing__entry">
<p>
HTML mails are <strong>sanitized</strong> and are rendered in a <strong>sandboxed</strong> iframe.
</p>
</div>
<div class="security-listing__entry">
<p>
Displaying mail <strong>images is optional</strong> and opt-in by default.
</p>
</div>
<div class="security-listing__entry">
<p>
Like most native email clients, whiteout mail uses raw <strong>TCP sockets</strong> to communicate directly with your mail server via IMAP/SMTP. TLS is used to protect your password and message data in transit.
</p>
</div>
<div class="security-listing__entry">
<p>
The app is deployed as a signed <strong>Chrome Packaged</strong> App with
<strong>auditable static versions</strong> in order to prevent
<strong>problems with host-based security</strong>.
</p>
</div>
<div class="security-listing__entry">
<p>
The app can also be used <strong>from any modern web browser</strong> in environments where installing an app is not
possible (e.g. a locked down corporate desktop). The IMAP/SMTP TLS sessions are still terminated
in the user's browser using JS crypto (Forge), but the encrypted TLS payload is proxied via socket.io,
due to the lack of raw sockets in the browser.
</p>
<p>
Please keep in mind that this mode of operation is not as secure as using the signed packaged app,
since users must trust the webserver to deliver the correct code. This mode will still protect
user against passive attacks like wiretapping (since PGP and TLS are still applied in the
user's browser), but not against active attacks from the webserver. So it's best to decide
which threat model applies to you.
</p>
</div>
<div class="security-listing__entry">
<p>
All our <strong>code is published</strong> for expert review. We work with independent experts who <strong>regularly audit</strong> our code.
We publish the audit results.
</p>
</div>
<div class="security-listing__entry">
<p>
Our mail and key servers are <strong>hosted in Germany</strong>.
</p>
</div>
</div>
<p class="text-left">
And also refer to the <a href="privacy.html">privacy policies</a> for our web site
and for our <a href="privacy-service.html">service</a>
for more information about which data we store and what we do with them.
</p>
</section>
<footer class="footer">
<div class="footer__inner">
<div class="container container--wide">
<nav>
<ul>
<li><a href="https://github.com/whiteout-io/mail" target="_blank">Github</a></li>
<li><a href="imprint.html">Imprint</a></li>
<li><a href="privacy.html">Privacy</a></li>
</ul>
</nav>
<p>© 2015 Whiteout Networks GmbH i. L.</p>
</div>
</div>
</footer>
</div>
<script src="js/all.js"></script>
</body>
</html>