Great tool, but there is a room for improvement

  • channelmaster101

    (@channelmaster101)


    5 years, 6 months ago

    I would like to say thank you to the author for providing our WordPress community such a great tool with free charge. It works pretty well with a simple but clever design and I hope I can implement it in the real production sometime in future.
    However, there are several things for improvement with PGP implementation. I haven’t got a chance to try out the plugin with S/MIME
    1. The plugin’s built-in keypair generator only provides me the PGP private/public keys with the default email wodrpress@mydomain.com. It doesn’t work with my own keys paste into the plugin’s key input boxes.
    2. There is no passphrase to protect my private key. If attackers get into my admin dashboard then the game is over. It is worse as there is no way to revoke the keys unfortunately.
    3. There is no expiry date for the generated keys. This is very important feature that you should be able to set a expiry date for your key in case it’s compromised, then it may solve the problem itself with the expiry date even you can’t revoke it.
    4. The plugin doesn’t work with my own PGP keys generated by other tools ie Kleopatra. I paste my own keys in then I got an uncaught error when I tried to login with a test user account with PGP enabled and the error message was fully shown in my browser even I turned off the debug.
    5. Using GpgOL within Outlook 2016, I can’t encrypt the message with the public key generated by the plugin’s built-in keypair generator. I got an error message when trying to do this – Crypto operation failed: Unusable public key. Note that the GpgOL works perfectly with my current keys generated by Kleopatra.

    Anyway, I think it’s a greatest plugin so far in the WordPress community in terms of email encryption for website. I hope that the author can improve it in some ways in the near future.

Viewing 1 replies (of 1 total)
  • Plugin Author Meitar

    (@meitar)

    5 years, 6 months ago

    Thanks for the positive review. 🙂 Some of the things you mention here should be reported as issues to the project’s issue tracker.

    The plugin’s built-in keypair generator only provides me the PGP private/public keys with the default email wodrpress@mydomain.com.

    This is by design. The generated keypair uses the default WordPress email. It will pick up whatever your WordPress system’s email address is.

    It doesn’t work with my own keys paste into the plugin’s key input boxes.

    This sounds like a bug. Please report it to the project’s issue tracker with more details.

    There is no passphrase to protect my private key.

    This is by design and is discussed numerous times in the various sections of the plugin’s readme file. If there were a passphrase you would be required to provide it for each email WordPress sends. This is not practical for automated systems, for obvious reasons.

    there is no way to revoke the keys unfortunately.

    This is not true; you can create a revocation certificate manually as you would for any other keypair. There is no mechanism for doing this through the WprdPress GUI at the moment but if you want to see this feature implememted please consider providing a patch or, again, voicing your interest on the project’s issue tracker where I can track its desirability.

    There is no expiry date for the generated keys.

    This is a feature enhancement under consideration.

    The plugin doesn’t work with my own PGP keys generated by other tools ie Kleopatra.

    Again, this sounds like the same bug as earlier. Please report it and provide some actionable details regarding the error.

    Using GpgOL within Outlook 2016, I can’t encrypt the message with the public key generated by the plugin’s built-in keypair generator.

    This seems like a bug but is also not really within scope. The generated keypair is intended to be used exclusively by the WordPress software itself. That is its point. Using the same key to send email yourself is considered an operational security risk and is explicitly warned against in numerous parts of the readme.

Viewing 1 replies (of 1 total)
  • The topic ‘Great tool, but there is a room for improvement’ is closed to new replies.