Search Mailing List Archives
[liberationtech] pgp message encryption and decrypion using just a browser
email at franciscorrigan.com
Mon Sep 27 01:45:20 PDT 2010
Steve you are of course right that decryption raises issues that may be
more problematic than using the like of hanewin's  encryption
facility. I always use the stance of a research based sceptic when I am
using or evaluating encryption tech, hanewin's implementation also
allows pgp text encryption off line and when the full html page is
be inspected and analysed. (Though I will myself not have the knowledge
to know what I am looking at, when it comes to js code!)
Using the likes of https://www.pwdhash.com/ also requires trusting it's
handling of password data, but as with hanewin, it can be used off line.
In the past I have used horde.org's webmail, which provides Encrypting,
signing, decrypting and verifying of signed and encrypted messages
(PGP/GPG and S/MIME, using such requires trusting the host and it's
terms and conditions. So even if trust exists in the underlying tech
and host, trust still has to take on numerous issues, such as
monitoring, access and disclosure to law enforcement
I am looking for online pgp decryption resources that are as straight
forward as the hanewin encryption facility, as a backup, to when it is
not possible to access GPG software or install such without Admin
David, Concerning https://droplettr.com/ this is something I am unable
to evaluate and it does not appear to meet the criteria of being able to
use fully offline and is not based upon one main page that can be
dependencies. I have not mentioned it explicitly but I am looking for
resources based upon open-source.
To check whether hanewin's can be trusted, it is possible to to use it
to just create an encrypted text message (off line) with one's own
Public key and then decrypt with via GPG. If there was an underlying
or Sandbox or Live CD, save the encrypted message and then reboot and
send the saved message, but this would only be to check things out.
I do think such a resource could easily be developed and provided
through a trusted third party, which has resources to mitigate against
compromise, which I assume the like of https://www.pwdhash.com/ has.
----- Original message -----
From: "Steve Weis" <steveweis at gmail.com>
To: "Frank Corrigan" <email at franciscorrigan.com>
Cc: "Danny O'Brien" <DObrien at cpj.org>,
liberationtech at lists">liberationtech at lists.stanford.edu
Date: Sun, 26 Sep 2010 15:35:34 -0700
Subject: Re: [liberationtech] pgp message encryption and decrypion using
just a browser
message? You would need to give that code your secret key, so must
trust it completely.
be malicious, compromised, or incompetent. You could audit the code,
but the site could silently change the it any time in the future.
Signing it doesn't help unless you already have some trusted code to
verify the signature. You could hypothetically save a local trusted
well just use GPG.
idea. I've only seen one case where it made sense, which was to
offload public-key operations onto clients. That was strictly for
performance reasons and did not increase the risk above what the site
was already doing.
On Sun, Sep 26, 2010 at 12:45 AM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> ... I was and I still
> am keen to to identify an online, akin to hanewin's, but one that can
> equally Decrypt a text based pgp message. Of course creating encryption
> keys does require software in addition to a web browser. But I still do
> think it would been very helpful to many to be able to access an online
> resource for the sending and reading of pgp messages, without the need
> of additional software and one that can be used off-line and downloaded
> locally or kept on a usb stick for greater portability.
More information about the liberationtech