Mailvelope Changelog

v4.2.1

Jan 9, 2020

Build WKD URL with web crypto digest method instead node crypto shim
Various bug fixes in Gmail API integration
Fix options view of app when using createSettingsContainer client-API method
Update to Bootstrap 4.4.1, optimize container layout

v4.2.0

Nov 12, 2019

Support for Gmail API (experimental)
Websites can trigger request for inclusion in the authorized domain list

v4.1.1

Aug 28, 2019

Fix error messages on restore backup dialog
Fix bug in the editor recipient input field when terminating email address with space key
Hide bit length selector in in advanced key generation options where not appropriate
Fix duplicate password popup for Mailvelope viewer in the app decrypt UI
Optimize styling of embedded components for small dimensions
Allow to switch keyrings in the keyring setup UI
Fix encoding of file objects when decrypting armored message in app
Add support for Experimental Web Platform features with DOMPurify returning TrustedHTML
Add Mailvelope title to editor and password dialog
Fix line wrapping of cleartext signed messages

v4.1.0

Aug 15, 2019

Further fixes of character duplication when pasting password from clipboard in password input fields
The keyring.openSettings method supports now direct navigation to the default key

v4.0.1

Aug 8, 2019

Fix pasting password from clipboard in password and key generate dialogs
Fix import keys with key attribute packets from keys.mailvelope.com and WKD
Improve scaling of logo

v4.0.0

Aug 1, 2019

Refreshed Mailvelope branding: new design, new logo, new icons and fonts.
Many revised UI components, integration of new UI concepts like toasts to replace alert messages.
Revised mail provider integration: messages are automatically decrypted if private key password is cached, new animated Mailvelope editor button.
New configurable security background with choice of 24 icons
Remove jQuery dependency in content scripts
Improve PGP message detection logic on host page
New file encryption UI in app which supports signing

v3.3.1

July 5, 2019

Fix race condition when importing keys that can lead to key pairs being imported as separate public and private key

v3.3.0

July 4, 2019

[Security] New key import UI that displays all imported user IDs and requires additional confirmation step (CVE-2019-9150)
[Security] Fix insufficient key equality checks when importing keys via the client-API
[Security] Fix self signature check for armoredDraft option when using GnuPG keyring. Sign and encrypt operations should always require user interaction (CVE-2019-9149).
[Security] Add missing message and key validity checks (CVE-2019-9148)
[Security] Improve counter of private key operations to increase resistance against time-based side-channel attacks
Improve GPG detection on startup
[Security] Fix issue with the private key restore mechanism, that stores unlocked private keys inside the encrypted recovery message
Support for Autocrypt headers in client-API

v3.2.0

May 15, 2019

Migrate to Bootstrap 4
Add openpgp-email-read and openpgp-email-write web components
Add query by email parameter to keyring.hasPrivateKey method
Add basic Autocrypt integration
Enable key lookup (Mailvelope key server, WKD, Autocrypt) for client-API calls
Add freenet.de to default list of authorized domains
Update OpenPGP.js to 4.5.1

v3.1.0

Mar 11, 2019

Redesign key details UI in app
Key UI: upload or delete keys to/from the Mailvelope key server
Key UI: change password of private keys
Key UI: create key revokation certificates
Key UI: change (add new, delete, revoke) user ID: name and email
Key UI: set new expiration date for key
Make links in decrypted messages clickable
Add checkbox to security settings to allow to hide header in armored message
[Security] Fix control mechanism to let components only be created in authorized domains (CVE-2019-9147)
[Security] Fix OK badge on browser action icon that signals user interaction
Various fixes and refactoring
Update OpenPGP.js to 4.4.9

v3.0.2

Dec 18, 2018

Update OpenPGP.js to 4.3.0

v3.0.1

Dec 14, 2018

Move native messaging permission in Chrome to optional permissions. Revise OpenPGP backend selection UI.
Update OpenPGP.js to 4.2.2. Add patch to verify ECC keys.

v3.0.0

Dec 11, 2018

GnuPG integration: connect via native messaging with a GnuPG installation and use GnuPG as an alternative backend for all OpenPGP operations.
New encrypted web forms feature: use Mailvelope to transmit HTML form data end-to-end encrypted with OpenPGP (https://github.com/mailvelope/mailvelope/wiki/Encrypted-Forms).
Support the Web Key Directory (https://wiki.gnupg.org/WKD) for decentralized public key discovery.
Update OpenPGP.js to 4.2 (http://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0): security fixes, support for ECC.
Redesign of keyring selection component and keyring management view
Block external HTML content in decrypted messages
Revise unit testing framework and increase test coverage
Major refactoring of keyring and model classes to support multiple OpenPGP backends
Add keyring fallback mechanism to find required private key for an operation across multiple keyrings
Public keys are synchronized across multiple keyrings
Authorized domains for client-API are by default HTTPS-only
Revise MIME parser/builder integration

v2.2.2

May 15, 2018

[Security] Enforce strict MDC checking for all non-AES symmetric encryption algorithms

v2.2.1

May 4, 2018

Fix issue with negative left-position of encrypt frame in some webmail clients
Remove non-functional (and on Firefox broken) scanning for sub frames when adding active tab to the watchlist
Fix corrupted file name on file download for Firefox <61

v2.2.0

Mar. 6, 2018

Encrypt and decrypt texts in App UI
Migrate decrypt-inline and editor component to React
Decrypt available messages when transferring to Mailvelope editor
Fix keyring backup key type filtering
Fix initialization of watchlist
Fix key server selection cancel button

v2.1.1

Dec. 20, 2017

Revert: Use chrome.downloads API for key export

v2.1.0

Dec. 19, 2017

File encryption: use binary format (.gpg file extension) by default
Introduce dashboard view as main entry point for the application
Redesign of the Mailvelope menu (in browser add-on toolbar)
Accessibility improvements (navigation in keyring management and settings)
Use chrome.downloads API for key export (fix for Bugzilla #1420419)
Better clarity about private key export in key details UI
[Security] Fix Inline Security Background spoofable (Medium)
[Security] Fix UI Redressing via web accessible resources (Medium)
Unify event handling in all controllers
Revise modal dialog behavior of Mailvelope browser popups
Revert to Symmetric-Key Message Encryption of OpenPGP.js v1 for private key backup
Move add-on distribution from self-hosted to AMO
Minor bug fixes and dependency updates

v2.0.0

Okt. 9, 2017

Complete migration of Firefox Add-on to Web Extension. Merge codebase for Chrome and Firefox.
Upgrade to OpenPGP.js v2
Support binary format for file decrypt
Raise file size limit for file encryption to 50 MB
Improve accessibility of main App UI
Add mail.zoho.com to list of email providers
Migrate main App UI to React and React Router
Use frameId based content script injection logic
Further migrate codebase to ES6
Move bower dependencies to npm
Replace PhantomJS with Karma and Chrome headless for unit testing
Load OpenPGP.js as npm dependency instead of using git submodules
Update dependencies

v1.8.1

Aug. 2, 2017

Fix localization issues on Firefox 55

v1.8.0

July 10, 2017

Migrate storage layer from localstorage to chrome.storage on Chrome and WebExtension API on Firefox
Support multiple MIME text parts of decrypted message
Mailvelope version is set to body tag for all websites in watchlist
Bug fixes and update of dependencies

v1.7.2

Apr. 18, 2017

Add mail.riseup.net to list of email providers
Load keyGenDialog from embedded WebExtension to prevent password input warning in Firefox
Display selected key server in the key search UI
Migrate key server settings to React, allow ports, provide list of servers. Automatically add key server to watchlist.
Migrate to Webpack 2
Update dependencies
Normalize armored keys before import

v1.7.1

Feb. 24, 2017

Replace unmodified notification in editor with enforced password prompt on signing of message

v1.7.0

Feb. 23, 2017

Propagate preference changes in App UI to content scripts and all integrated components
Extract recipient tag input Angular component to separate file and wrap in React component
Update recipient input autocomplete after change of keyring data, newly imported keys can now directly be used in the editor
Update key selection for file encryption after key import
Fix add to whitelist function for Firefox
Remove unnecessary reload notice in settings
Refactoring key details view and keyring export
Add API version to body tag
[Security] Add notification to prevent signing of messages without user interaction
localization updates: Spanish, Portuguese (Brazil), Japanese, Chinese (Taiwan), Norwegian, Ukrainian, Dutch, Chinese, Arabic, French, Lithuanian

v1.6.5

Jan. 16, 2017

Workaround for port.disconnect() bug (#655932) in Chrome

v1.6.4

Dec. 22, 2016

Revert content script injection logic for Chrome to old logic without frameIds

v1.6.3

Dec. 21, 2016

Use frameId based content script injection logic in Chrome

v1.6.2

Dec. 6, 2016

Add default addon.detection.png path to web accessible resources in Chrome

v1.6.1

Dec. 6, 2016

Fix path to addon.detection.png on Chrome to be compatibe with the client-API v1.0

v1.6.0

Dec. 2, 2016

Add message signing options to Mailvelope editor for sign & encrypt and sign-only use cases.
Extract sender address from mail client and show signature verification result in decrypt view
Add key expiration time option to key generate UI
Prevent setting invalid keys as primary key
Add inbox.google.com to watchlist. Fix decryption errors.
Migrate from jshint and jscs to eslint
[API]: createDisplayContainer method returns error code
Major refactoring
- new folder structure
- React is used for new UI components
- Webpack and Babel included in the build step
- migrating to ES6 module syntax
Update dependencies
Bugfixes

v1.5.2

Sept. 7, 2016

[Firefox] Update jpm to v1.1.4
Optimize recipients transfer methods in editor for Gmail and Yahoo
Remove recipients transfer methods in editor for generic webmail
Localization updates

v1.5.1

July 8, 2016

Bugfixes
Localization updates

v1.5.0

July 5, 2016

Introduce provider specific content scripts to optimize integration of Mailvelope and webmail client (non-API case)
New workflow for key selection in the Mailvelope editor: select recipients with their email address. Email autocomplete feature from all email addresses in local keyring.
Transfer recipient email address to Mailvelope editor and back to webmail client (Gmail only)
Refactoring of controllers, add unit test framework, unit tests for controllers and Mailvelope editor
Use Angular.js for new UI components
Implement TOFU key lookup using new Mailvelope key server: keys.mailvelope.com
Add option to upload public key on key generation to key server
Increase minimum required version: Chrome 49, Firefox 45

v1.4.0

May 9, 2016

Implement HKP key search and import
File encryption support
Add mocha unit test infrastructure
Localize recovery sheet for key backup
Show key ID in sign message dialog
Redesign key import UI
Update OpenPGP.js to v1.6.0
Update bower dependencies: jQuery to 2.2.1, DOMPurify to 0.7.4
Bugfixes

v1.3.6

Feb. 24, 2016

Update to latest email.js components
Port Firefox add-on to jpm build tool

v1.3.5

Feb. 16, 2016

Update closure library to support new email address TLDs for key generation
[Security] Limit operations for keys in cache
Remove feature to sign/encrypt in DOM of website

v1.3.4

Jan. 23, 2016

Fix editor flexbox rendering for Chrome 48
Use name-addr format if no name provided in userid at key generation
Add language file for Ukrainian

v1.3.3

Jan. 7, 2016

Update watchlist for Outlook.com
Activate API for Posteo
Log API encryption operations
Always sign editor drafts
Add mail.ru to list of supported mail providers

v1.3.2

Dec. 15, 2015

[Security] Fix XSS via HTML file download link

v1.3.1

Dec. 7, 2015

Increment patch version to allow new upload to Mozilla signing process

v1.3.0

Nov. 27, 2015

API: create and restore drafts in the editor container
Grunt task to build crx packages for Chrome
Strict check on packet structure for private key restore
Pseudo-revoke mechanism to allow mail provider to invalidate keys
Update DOMpurify to 0.7.3

v1.2.3

Oct. 28, 2015

[OpenPGP.js] Enforce integrity protection only for modern ciphers, fix compatibility issues

v1.2.2

Oct. 16, 2015

Fix key generation activity indicator (Firefox)
Don't show recovery sheet when backup upload fails

v1.2.1

Oct. 14, 2015

Recovery sheet layout fixes
[OpenPGP.js] Update OpenPGP.js, enforce integrity protection, deprecate Symmetrically Encrypted Data Packet (Tag 9)

v1.2.0

Oct. 4, 2015

API: trigger disconnect event on extension update
API: add confirm parameter to key generate method to allow rejecting key if public key upload fails
Fix Mailvelope editor button in certain mail providers
[Security][OpenPGP.js] Fix S2K to prevent decryption of malformed private key backup messages

v1.1.0

Sep. 16, 2015

Editor container supports keepAttachment flag for message forwarding scenarios
Fix race condition on attachment upload that can lead to lost attachments
Ignore null values in API type checker
[OpenPGP.js] Support plain email address in user IDs of keys

v1.0.2

Aug. 25, 2015

Fix spinner for large messages in reply scenario

v1.0.1

Aug. 20, 2015

Fix false positives from Mozilla signing review

v1.0.0

Aug. 18, 2015

API: sign PGP/MIME messages
API: support for signature verification in the decrypt container
Set password cache to on by default (30 min)
Deprecate Firefox 31 support
Improve attachment decrypt performance (Firefox)
Auto select right keyring when opening the settings
Inject content scripts in all open tabs on installation of extension
API: register handlers to allow backup and restore of keys and public keyring synchronization
API: validateKeyForAddress method returns fingerprint and lastModified date
API: add container to create symmetrically encrypted key backup and recovery sheet
API: add container to restore key and password
API: add container to generate key
API: display key details in the key import dialog
API: fix editor quota limit calculation
[OpenPGP.js] Generate keys with multiple user IDs
[OpenPGP.js] Use Web Crypto API to generate keys (Firefox)
Show reason of password request in password dialogs
Many style fixes and layout improvements

v0.13.2

July 22, 2015

Update OpenPGP.js to 1.2.0
Custom icon color for security background

v0.13.1

Apr. 15, 2015

Fix empty list of recipients due to bug in primary key setting
Fix positioning of sign/encrypt dialogs
Update OpenPGP.js to 1.0.1

v0.13.0

Apr. 14, 2015

Finalize Client-API v1: http://mailvelope.github.io/mailvelope/
Optimize attachment styling
Support for multiple keyrings
Update mailreader to v0.4.0
Fix attachment upload bug in FF
Replace security token with security background
Small screen-optimization for settings
Automatically set primary key at key generation and key import
Set auto adding of the primary key by default
Redesign password entry and import key dialogs
[Security] Encode attachment filename
[Security] Update DOMPurify to 0.6.1, use jQuery output option
Fix endless loop in armored block detection on the mail client page
[Security] Update OpenPGP.js to v0.11.1, fix bug in DSA signature verification
[Security] Add noreferrer to external links
[Security] Check for ambiguous keyIds on key import
[Security] Validate key and user IDs of signatories
[Security] Open all links in message body in new window
[Security] Set charcode in sandboxed iframes
Localization updates
Sign Firefox XPI packages
Fix decoding of MIME messages with transfer encoding: 8bit
Redesign browser action menu
Limit on/off action to non client-API controls (Firefox)
Establish new Firefox download link: https://download.mailvelope.com/releases/latest/mailvelope.firefox.xpi
Add De-Mail providers to default list of supported mail providers
UI to set custom security background
Establish demo page for client API at: https://demo.mailvelope.com
Log user actions in embedded components and display indicator as badge of the addon toolbar icon
Add multiple file upload functionality

v0.12.1

Feb. 23, 2015

Fix AMO review issue: use duplicate mvelo.js instead of eval

v0.12.0

Feb. 5, 2015

Settings UI: replace Kendo UI components, use templating, replace short with long key ID
Client-API: allow web applications to interact with Mailvelope (experimental)
Client-API: documentation available at: https://mailvelope.github.io/mailvelope
Client-API: unit tests available at: https://github.com/mailvelope/mailvelope-api-test
[OpenPGP.js] Upgrade to v0.9.0: fix zlib/zip compression bug
fix bug with quoted printable in armored blocks
support nested MIME structure in PGP/MIME
Enable JSCS style checking
use flexbox to resize editor
automated builds with travis-ci
generate RSA 4096 bit keys by default
restrict watchlist match pattern
improve MIME detection
defer loading of keyring
localization updates. New languages: Arabic, Bulgarian, Dutch, Slovenian

v0.11.0

Nov. 27, 2014

Remove v0.8 local storage migration, delete old keys
Controller refactoring
Redesign of editor controls
Use JavaScript strict mode
Deactivate rich-text editor as we currently only support PGP/Inline
[Security fix]: Load documentation in separate browser window to prevent access to priviledged API

v0.10.4

Nov. 10, 2014

Fixes for addons.mozilla.org review

v0.10.3

Nov. 9, 2014

Migrate to Bootstrap 3.2
Refactor content scripts
Transfer repository to https://github.com/mailvelope/mailvelope

v0.10.2

Oct. 14, 2014

Remove keys on uninstall of Firefox addon (optional)
Fix font CSP issue in Chrome
Fix message adapter API for Firefox 33

v0.10.0

Oct. 1, 2014

Add support for localization
Translations for: Chinese (China), French, German, Norwegian, Polish, Russian, Spanish
Fix support for HTML in PGP messages (v0.9.0 regression)
Update OpenPGP.js to v0.7.2
Use stable worker object in Firefox
Update Require.js to 2.1.14
Add posteo.de and web.de to default list of mail providers

v0.9.0

June 16, 2014

Support reading of MIME messages
Global on/off switch for page injected elements
Verify cleartext signed messages [Julian Bäume & Marek Kurdej]
Hide Mailvelope editor button after typing
Support armored texts without header
Update DOMPurify to 0.4.2
[Firefox] Use toggle button in Australis
[Chrome] Migrate from chrome.extension to chrome.runtime

v0.8.3

May 11, 2014

Update jQuery to 2.1.0
Enable sign and encrypt in included textareas for Firefox
Separate jQuery from main content script
JSHint fixes

v0.8.2

May 2, 2014

Decrypt inline mode for Firefox
Short term fix for changes of unsafeWindow coming to Firefox 30
XSS sanitizer: replace wysihtml5 parser with DOMPurify
[OpenPGP.js] Optimize signature verifications to evaluate primary user (reduces loading time of key grid)
[OpenPGP.js] Fix broken twofish cipher
[OpenPGP.js] Generate key by default without unlocking secret part
[OpenPGP.js] Fix key update for keys generated with PGP Desktop

v0.8.1

Apr. 14, 2014

Fix preferences update. Changes to security token applied instantly.
Port Firefox Add-on to new OpenPGP.js API
Use web workers for key generation, signing and decryption (Fixes performance issues with Firefox).

v0.8.0

Apr. 5, 2014

Signing of clear text messages. Thanks to @johnyb for contribution.
Switch to Grunt as build tool and Bower for packet management
[OpenPGP.js] Security fixes. See https://github.com/openpgpjs/openpgpjs/wiki/Cure53-security-audit for details
[OpenPGP.js] Update to v0.5.1, new architecture of the library with many enhancements including:
- generation of standard compliant keys with main key for signing and subkey for encryption
- improved compatibility and performance

v0.7.0

Nov. 4, 2013

Reduce initial loading time of key grid, lazy loading of key details
Merge branch firefox into master: one code base for Chrome and Firefox
Identify public key in email body, allow one click import
Firefox add-on reaches feature parity with Chrome extension (excluding decrypt inline scenario and performance)
Rewrite key import function: reject multiple keys per armored key text, more accurate error logging
Improved stability of key grid, make key mapping more robust against exceptions
Display short version of key id in key grid
Fix display of key creation date in Chrome
Export key pair: display public key first
Generate 2048-bit RSA keys by default
Add reference to Mailvelope in PGP header comment tag
Display Mailvelope version in options UI and PGP header line
Migrate to jQuery 2
Activate Mailvelope in private browsing mode of Firefox
Set minimum Chrome version to 26 (minimum Firefox version is 21)
Fix wrong encoding of non-ASCII characters in decrypted messages
[OpenPGP.js] Evaluate key flag to determine encryption key
[OpenPGP.js] Key generation with non-ASCII user id: generate valid signature

v0.6.6

Aug. 24, 2013

Fix broken decrypt process for outlook.com (accept <br> inside <pre> in mail body)
Add key text file upload to key import view

v0.6.5

Aug. 20, 2013

Fix wrong encoding of non-ASCII characters in decrypted messages
[OpenPGP.js] Key generation with non-ASCII user id: generate valid signature

v0.6.4

July 12, 2013

Fix UTF8 regression introduced with OpenPGP.js update in 0.6.3
Update watchlist defaults for new GMX navigator
Set plain text as default editor due to incompatibilities with encrypted HTML mails

v0.6.3

June 25, 2013

Fix "Send public key by mail" producing corrupted key text
Update to latest OpenPGP.js

v0.6.2

May 10, 2013

Update Kendo UI to 2013.1.319. Fix key export problem on Win8
Add unique title for password dialog
Loading spinner for the key grid
Only allow export 'Send public key by mail' if key file does not exceed 1600 characters

v0.6.1

Mar. 15, 2013

Primary private key can be defined in the general settings and option to always add primary key to list of recipients in encryption dialog.

v0.6.0

Mar. 7, 2013

Load web fonts locally from the extension
External rich text (wysihtml5) or plain text editor for mail composition
New preferences views for general and security settings
Disable context menu
Update RequireJS to 2.1.2
Update Bootstrap to 2.2.2
New external password dialog
Keep passwords in memory for browser session (optional)
New popup to display decrypted messages
Security token concept on all popup dialogs
Use iframe sandbox feature in encrypt and decrypt scenarios
Show watermark behind inline decrypted messages
[OpenPGP.js] support key import from hushmail
[OpenPGP.js] prefer subkeys for encryption
Show warning if external editor lost focus
Sanitize HTML of decrypted message
Logic to keep critical dialogs in the foreground

v0.5.5

Feb. 6, 2013

Update to latest OpenPGP.js release, problems with compressed messages from e.g. Enigmail are fixed
Clean-up of key import coding
Fonts are loaded locally

v0.5.4.2

Dec. 18, 2012

Unicode support for encryption process and key owner name

v0.5.4.1

Dec. 17, 2012

Set minimum Chrome version to 21
Center encrypt dialog (support for new Gmail editor)

v0.5.4

Dec. 6, 2012

Improved positioning of decrypt dialog for large mails: the dialog is now shown always on top and not in the center of the mail
Revised armored text extraction in decrypt frame: this fixes a bug where in some situations the armored text was not extracted correctly
Fix encrypt button style in outlook.com
Decode HTML entities in text mode: e.g. > is now decoded correctly
Remove migration code that was introduced with 0.4.2

v0.5.3

Nov. 12, 2012

Support for messages in pre tags
Higher selector specificity in framestyles.css to support Roundcube

v0.5.2.2

Nov. 8, 2012

Browser actions: improved tab handling

v0.5.2.1

Nov 7, 2012

Fix bug in Add/Remove page functionality

v0.5.2