Monday, February 20, 2017

Fossa Guard permissions explained.

Permissions FossaGuard requests often provoke questions about the reason and the necessity. Let us explain it in details.

0. Know your email address
Well, it sounds logical

1. Compose and send new mail. 
Looks reasonable once we would like to compose and to send signed / encrypted S/MIME messages. 

2. View, manage and permanently delete your mail in Gmail. 
View also looks normal since we gonna view S/MIME messages. Manage and delete sounds rather intriguing but it let us create and keep a single copy of encrypted S/MIME message in your Sent box when you send it to several recipients. It is your personal copy you can view when in fact each your recipient has got a copy encrypted specifically for him.

3. Create, update and delete labels. 
For your convenience, we create (if not exists) S/MIME label and mark S/MIME messages by it.

4. View your settings (e.g. filters and labels). 
Helps us to check if you already have S/MIME label or not.

5. Read and change all your data on the websites you visit. 
This is #1 reason for questioning us. The reason Fossa Guard requires this permission is the necessity to download Certificate Revocation List (CRL) from URLs discovered in your certificates. Fossa CRL is accessible at by the way. Certification validation vs actual CRL is a mandatory check according to the specification and it was introduced since V0.2.1.

One can also understand it as also the permission to read browser history, but it's not actually it. There is an interesting and sometimes funny discussion about the right sentence for the last permission.

Please do not hesitate to contact us for further explanations if you need.

Always yours,
Fossa Team


  1. I'm glad to find this post on your blog as I was wondering about point number 2.

    Does this mean you have access to all of our emails, including the ones we do not send with S/MIME?

    It might be helpful for the newbies to S/MIME and Chrome Applications if you made it a bit clearer what exactly you have the ability to access in our email accounts.

    I am quite excited about your product as it looks to be leading the way on getting S/MIME into Gmail. I look forward to following along in its development!!


  2. Hi

    It's nice to get a positive feedback from you.

    Fossa Guard extension has access to your contacts list to advice you recipients while you typing address in TO, CC, BCC fields. User's contact list processed locally in the browser and never has been sent it to Fossa server or somewhere else.

    Same for private keys (in a form of PKCS#12 archive protected by a passphrase) which are kept in Chrome sync storage within user's account space.

    Actually there is "hosted" S/MIME for Gmail as a part of G Suite subscription in which users have to store their private keys in Google. Our solution is "end to end" S/MIME implementation for Gmail when private keys reside within users local storage plus lightweight CA to simplify enrollment.

    We have been developing Fossa solution as our pet project for last couple of years and are looking for opportunities to transform it into our main project.

    Fossa Team

    How-to videos

  3. Thanks for the quick reply!! I am definitely digging this tool, even if it's only a "pet project" :)