We are in the possession of a security audit that was requested by the email provider Posteo and conducted by Cure53, which has revealed that the Firefox security structure is currently unable to offer a sufficiently safe environment for the Mailvelope browser extension.
As has been obvious for some time, Firefox architecture does not seal off add-ons from each other sufficiently enough. However, the fact that, in some extreme cases, even private keys of a Mailvelope user can be compromised had not been proved yet. Cure53 has now been able to demonstrate that such an attack is feasible: Either, the user has to be tricked into installing a malicious add-on or the attacker manages to take over an already installed add-on.
Mailvelope naturally relies on the security of the underlying browser platform. In the present case, we are unable to offer a remedy ourselves. Nevertheless, Mozilla is already working on a fundamental improvement of the add-on system. In November 2017, Firefox is scheduled to finally switch to an overhauled add-on structure, which will then offer sufficient protection against attacks.
A new Mailvelope version for the new, improved Firefox structure is already in the making.
Until Mozilla has modified the architecture, the following safety recommendations apply:
The security audit also demonstrated some positive results regarding Mailvelope. Posteo writes about this:
There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful.
Security Audits such as the one performed by Posteo serve as an important indicator that shows how we can further improve Mailvelope. At this point, we’d like to thank Posteo for conducting the audit and thus their contribution to the Mailvelope project.