[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [O] org-mobile : security
From: |
Richard Riley |
Subject: |
Re: [O] org-mobile : security |
Date: |
Sat, 04 Aug 2012 15:05:20 +0100 |
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.1.50 (gnu/linux) |
Greg Troxel <address@hidden> writes:
> Richard Riley <address@hidden> writes:
>
>> org-mobile allows you to use some form of encryption when pushing to the
>> MobileOrg directory. Encrypts and works fine. The issue is that the
>> mobile app has a password setting to unencrypt but there is no
>> protection on the app itelf meaning anyone can read the org files from
>> thje mobileorg app itself kind of defeating the object since dropbox has
>> its own encrption based on id/pasword anyway.
>
> Please explain your threat model :-)
My org files contains confidential information. My email does not.
>
> Seriously, the fact that the org files are available on the phone does
> not seem any scarier than one's email being available on the phone.
See above.
>
> I am boggled that you think anything about dropbox security is ok.
> In
I didnt say it was ok or mega secure. I said that its already encrypted
on their end and without user id/pass pretty hidden.
> my view, the whole point of org-mobile encryption is to put ciphertext
> only on the webdav server used to transfer between emacs and phone, so
(I dont use webdav)
> that the webdav server does not need to be trusted for confidentiality.
> It seems unwise to trust dropbox, given the lack of clarity around
> access
I dont trust dropbox per se. But dropbox repo isnt on my phone without a
password access. ie if I leave my phone on the table or lose it. And as
I pointed out, even on dropbox the files *are* encrypted. Its the phone
side that is the issue.
> to plaintext by dropbox staff, and encryption lets one comfortably use a
> shared web server whose admins are not cleared to see the private org
> data.
Yes, which is why my files *are* encrypted using the org-mobile
encrption.
>
>> I realise I can encrypt
>> org entries myself (I do) using gpg keys but since there is no built in
>> gpg decryption facility in mobileorg thats hard work (you need to copy
>> the encrypted entries to oPenGPG which does feature app pin protection and
>> holds my secret key (which needs a password too)).
>>
>> Is there a way to protect the mobileorg app? Or do I need to manually remove
>> the password from the mobileorg settings each time?
>
> It seems like perhaps you want a phone-wide confidentiality solution.
>
>
No. Just the ability to not have people see my org files if they pick
up/find my phone. This can be done, as I outlined above, by pgp
encryption of the org entries themselves but this is a pain since there
is no built in decryption and I have to do it in openPGP manually.