Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] pgp message encryption and decrypion using just a browser

Jacob Appelbaum jacob at appelbaum.net
Tue Feb 8 18:24:02 PST 2011


On 02/08/2011 03:48 PM, David Dahl wrote:
> I have been wanting to follow up on this thread, which means writing
> some code.:)
> 
> I have distilled the 3 methods needed to construct any kind of
> PGP-like web application. My new extension, DOMCrypt, attaches a
> 'crypt' property to each web page giving Javascript developers
> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
> 
> All of the underlying crypto code is handled by NSS - the same library
> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
> C code under the hood.
> 
> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
> is here: https://github.com/daviddahl/domcrypt
> 

Hi David,

Can you go into a little more detail? What is your threat model? How
does this stand up to say, XSS? It seems rather dangerous to have a
javascript API for encrypting and decrypting messages - also is it
lacking signatures on purpose?

I'm a bit curious if you plan to implement an actual PGP implementation
- that would be useful, though the web browser seems like an awfully
dangerous place to do it.

All the best,
Jacob



More information about the liberationtech mailing list