Roadmap for version 0.2.2-3
100% of
4 tasks
completed.
40% of
10 tasks
completed.
7 open tasks:
-
FS#14 - Remember user-login
Expand
Collapse
-
At this time the user-login is remembered for 10 minutes. The user has to type it in again after that time. there is no renewal of the timer.
We need to define an option for the user to decide how long he wants to remember the user login.
Possible options:
* -1 (unlimited/session), 0, >0 in minutes?
* renew counter on each use?
-
FS#20 - Version change: Migration support
Expand
Collapse
-
We need to implement a method to support changes we make in storage. The Addon needs to be aware that a user skipped one or more versions.
Also, without this support, the user would have to run the wizard on every change in the storage backend.
- migrate addonSettings
- migrate userSettings
- consider doing this class based with defaults + migration only on struct. change
-
FS#34 - Decrypt overlay needs to be optimized
Expand
Collapse
-
At this point the decrypt overlay is on an absolute position and therefore hard to position.
The benefit and reason for the decision was that this way it would least likely mess-up the original webpage.
The problem is that, eg. in an scrollable div, the overlay would move with the scrolling but keep above the rest of the content. The result is a ugly overlay and blocking of the rest of the content.
We want to test, if a different solution than an overlay might also be possible without effecting the original webpage too much.
Possible solution:
wrap the first line of the PGP message with an anchor and attach at the end the ShuFu decrypt icon. Use styling to highlight this change. This is already implemented as "buildLinkOverlay" in data/lib/annotate.js and can be switched on in line 520 "if (true)".
-
FS#54 - Make Storage more robust
Expand
Collapse
-
- differentiate between create, read, update, delete
- look into other storage backends (transactions, browser crash, etc.)
- sanity checks?
-
FS#57 - make code testable
Expand
Collapse
-
- each file defines one or more modules/classes
- modules/classes are not instantiated within same file
- we add init files for panel/config/wizard/...
- each module/class is built by a dependency injection/factory thingey
- all dependencies of the module/class need to be explicitely stated at the beginning/instantiation
before:
(function() {
SHUFU.xyz = ... SHUFU.other ...
})();
after:
function makeXyz(dep1, dep2, dep3) {
return {
xyz = ... dep2 ...
};
}
later:
var xyz = theFactory('xyz');
-
FS#78 - find armor in forwarding
Expand
Collapse
-
find pgp armor in forwarded mail
-
FS#100 - Enable webCrypto for openpgpjs
Expand
Collapse
-
For now webCrypto API is not working.
We need to enable this for better Crypto and speedup.
8% of
15 tasks
completed.
14 open tasks:
-
FS#5 - Add Spinner to encrypt message
Expand
Collapse
-
The encrypt process does not have a spinner dialogue. This is needed since the process might take longer than the user expects.
-
FS#10 - Support user-defined PGP passphrase on createOwnIdentity
Expand
Collapse
-
It should be possible for the user to define a passphrase for a private PGP key created by ShuFu Privacy.
Right now, ShuFu uses an empty passphrase since the key is stored in encrypted container.
-
FS#13 - Remember PGP passphrase
Expand
Collapse
-
At this time the PGP passphrase is not remembered at all. the user has to type it in each time.
We need to define an option for the user to decide how long he wants to remember the passphrase.
Possible options:
* -1 (unlimited/session), 0, >0 in minutes?
* renew counter on each use?
We use this option for all private PGP keys
-
FS#18 - Support whitelisting of annotated websites
Expand
Collapse
-
Right now the Addon is scanning all tabs/pages of the browser for a PGP message and a valid input field. This is resource-consuming and might not be the perfect solution for the future.
We want to support a white-listing for the annotation to reduce the problems and intrusiveness the Addon might cause.
Possible solution:
* In Panel: add a button for whitelisting
* White-listing is done by exact domain on default
* White-listing support basic regexp to make it more precise and limit it to subpaths, expand it to whole TLD or all
Examples:
google.com -> only on this domain
*.google.com -> on TDL
google.com/mail/* -> only on that subfolder
* -> scan all pages
severity medium as currently we are unnecessarily messing with DOM trees
-
FS#33 - Add close icon on injected icons
Expand
Collapse
-
The injected icons need to have a "close" icon. this removes the changes in the webpage.
-
FS#39 - Include "Signed in as"
Expand
Collapse
-
Include "signed in as" in config and panel.
-
FS#45 - Import PGP key from webpage
Expand
Collapse
-
We want to support the import of a PGP key that is shown in a webpage.
This could be done similarly to the decrypt functionality but probably needs a different icon.
-
FS#58 - Give feedback on missing inject target
Expand
Collapse
-
The user can open an compose dialogue using the compose icon in a "target" webpage. After writing a message and submitting it, compose is validating the input. On success it will hand the message over to the encryption part, which in turn sends it to the addon (encrypted). The addon hands it over to the target-page.
In this chain of executions we do not have the feedback in the panel, if the target-page/compose reference is still there. Hence, the encrypted message can end up "deleted".
To avoid this case we need to
* enable the inject code to answer with failed or success
* enable the addon to deliver the status to the panel
* wait in the panel until it gets the status
* enable the panel to handle a possible error
severity medium as currently you lose your whole message if the target has disappeared
-
FS#71 - it seems that storage can become undecryptable
Expand
Collapse
-
panel/config will not accept user password!
log gives error message "info: shufu: userKey validate CORRUPT: ccm: tag doesn't match" which is the same as for an incorrect user password.
Now we have storage backup and can hopefully identify what happens. Most likely the master key gets corrupted, possibly by a JSON encode/decode issue...
-
FS#72 - license proprietary in package.json
Expand
Collapse
-
is this necessary for mozilla? i'd rather put "free to use" or something nice-sounding.
-
FS#80 - Enable the user to show the original decrypted message
Expand
Collapse
-
The message is sanitized for viewing in the panel to prevent any information from leaking. This might be malicious JS code, iframes, images but also links that pretend to point to trusted sites but don't.
The user still might want to see the original message. Since this is a security risk, we will notify the user about it and open a tab with the original message at wish.
-
FS#86 - overlay does not work on searched message
Expand
Collapse
-
gmail highlight searched content and highlighting prevents overlay from finding armor:
-----BEGIN <span class="il">PGP</span> MESSAGE-----
-
FS#87 - Zimbra draft email with PGP message not recognized
Expand
Collapse
-
When saving a draft in Zimbra that contains a valid PGP message, it is not annotated.
-
FS#88 - GLPI: Annotation without input box shown
Expand
Collapse
-
In GLPI, even there is no input box shown, sometimes there are ShuFu icons visible.
14% of
7 tasks
completed.
6 open tasks:
-
FS#6 - Show reference to source webpage
Expand
Collapse
-
If an compose dialogue is open in the panel, there is no reference to where the panel was requested from.
This might not be a problem at first, but if a compose takes longer, the user might forget where it came from.
Certainly we need a reference as soon as we support multiple compose dialogues.
-
FS#7 - Show reference to source webpage
Expand
Collapse
-
If an view dialogue is open in the panel, there is no reference to where the panel was requested from.
This might not be a problem at first, but if a view takes longer, the user might forget where it came from.
Certainly we need a reference as soon as we support multiple view dialogues.
-
FS#12 - Change password of user account
Expand
Collapse
-
The user account has a password defined by the user. He needs to be able to change this password at a later time.
-
FS#17 - Remove inject worker after wizard/config/inject
Expand
Collapse
-
Remove inject worker after wizard/config/inject
currently work-around in place to only execute injection once. but work-around might be a little brittle.
-
FS#22 - Prevent faking addon
Expand
Collapse
-
In theory a webpage could place a faked panel area in its webpage and make the user believe it is the ShuFu panel.
This needs to be prevented.
Possible solution:
We place a user defined or random generated string in the panel, that only the addon knows. This identifies the panel as being authentic.
-
FS#81 - Show an image of a message on request
Expand
Collapse
-
Images are dangerous to show since in the src attribute can be malicious code instead of an image. Also an remote image already exposes some information because it leaved a footprint on the remote server.
We sill want to allow the user to load an image of a sanitized message on his command.
0% of
8 tasks
completed.
8 open tasks:
-
FS#11 - Change PGP passphrase of private key
Expand
Collapse
-
It needs to be possible that the user can change the PGP passphrase.
For the transition from the default PGP passphrase (empty) there might be a special case needed.
-
FS#15 - Export Masterkey
Expand
Collapse
-
The user-login is only the front-facing key for the encrypted storage. The same as Truecrypt, we use this login the decrypt the real masterKey, which is used to decrypt the encrypted local storage.
We want to give the user the opportunity to export this key in an encrypted version and in plain. This gives him the possibility to extract the local storage without the addon. Of cause, the process of actually extracting the latter is up to the user.
-
FS#24 - Select own PGP key for encryption
Expand
Collapse
-
Right now ShuFu encrypts a message for all own PGP keys.
The messages a user encrypts are always also encrypted for himself.
The user should be able to define a default private PGP key, which is to be used for this.
-
FS#40 - Synchronisation of local storage
Expand
Collapse
-
It is only stored locally and therefore the easy usage of ShuFu Privacy with many computers is not easy.
Since the local storage is strongly encrypted we can offer an online sync option for it. Implemented well, we could offer an online storage for syncing that is totally anonymous.
Two syncing options could be implemented:
1. direct sync, similar to the sync of the Mozilla settings sync
2. Online sync to a storage facility, where only the encrypted blobs will be stored
-
FS#43 - Publish own PGP key on key-server
Expand
Collapse
-
The own PGP key is kept locally at this time.
To enhance the usability it should be possible to publish it automatically on a public key server.
The user has to define if he wants this or not
-
FS#47 - Publish PGP Key of privacy@shufu.eu
Expand
Collapse
-
The PGP key of ShuFu Privacy need the get published.
-
FS#53 - Use Mustache for frontend
Expand
Collapse
-
Right now we use HTML and jQuery to implement the UI. This could be done better with Mustache.
We need to check if that is better.
-
FS#77 - Imported compose "text": Make original content available
Expand
Collapse
-
We convert HTML to Markdown that was in input area of an annotated element of the source page. This converted HTML is presented in the compose textarea.
We should make it possible for the user to replace it with the original.
0% of
3 tasks
completed.
2 open tasks:
-
FS#41 - Attachments
Expand
Collapse
-
The standard ShuFu service supports only text messages. This is also contributed to the fact that normal textareas or other input types support only a limited amount of data. Normally attachments are incomparable bigger and therefore likely not compatible to attachments.
This problem needs to be solved.
-
FS#44 - Request PGP key of others from key-server
Expand
Collapse
-
The PGP key of others is imported by the user.
to improve usability we want to support requesting a key-server to find PGP keys of others.
Roadmap for version 0.5.0
0% of
0 tasks
completed.
Text Version