Future Planning: Thunderbird as a Web App

Andrew Sutherland asutherland at asutherland.org
Fri Sep 18 17:41:18 UTC 2015

On 09/18/2015 04:46 AM, Volker Birk wrote:
> Crypto implementations ONLY can go from locally running software to
> locally running software. Crypto implementations must not be server
> based in any way, but have to be peer-to-peer only. Only then we have
> end-to-end cryptography, only then we have security offered by crypto at
> all, and not a simulation of security instead.

So it's clear, the Firefox OS Gaia email app is currently a packaged and 
signed application that runs locally only.  The only servers contacted 
are the user's mail servers and those contacted in the course of running 
autoconfiguration/autodiscovery.  A content-security policy prevents 
code from being run from remote locations.

The direction Gecko is going with APIs like TCPSocket that are hard to 
explain to users as permission prompts and for which standardization 
really isn't happening is for them to be add-on-only APIs.  So a 
pure-HTML/CSS/JS Thunderbird would effectively be a cryptographically 
signed Firefox add-on.

This is already the strategy used by whiteout.io, a PGP-focused mail 
client built on HTML/CSS/JS running as a Chrome extension, and which 
likely will also run as a Firefox extension once the platform is further 
built out.


More information about the tb-planning mailing list