Search Mailing List Archives
[liberationtech] pgp message encryption and decrypion using just a browser
jacob at appelbaum.net
Wed Feb 9 01:04:32 PST 2011
On 02/08/2011 07:17 PM, David Dahl wrote:
> The main threat here are the black holes we all routinely dump
> personal information into in the social web. We need an API available
> in the DOM to encrypt text and messages. This needs to happen as so
> much software development has moved to the browser - this is a logical
I agree. It will be nice when we have OTR over say facebook or gmail
messaging that takes place in the browser.
> I have not thought about the threat from XSS and other weaknesses a
> tool like this will have to deal with -yet. I have only had time to
> implement what you see in the demo. Signatures are no problem, I just
> have not written the front end.
> libraries via jsctypes) behind the scenes in the chrome-privileged
> objects and properties to lock things down:
> - which I plan on using to keep external scripts from changing
> properties in the API.
> There is a lot of work here to identify threats - quite a large test
> suite will be required. Another issue is what interface is secure
> enough to type the passphrase into, and where do you keep your
> private key? Again, these things need to be figured out. For one, I
> plan on creating a generic chrome-privileged prompt to type in the
> passphrase. persistent storage is another matter altogether.
Phishing is going to be an issue, I bet.
> I work at Mozilla and plan on hitting up the security team for advice
> on these issues as well. I would love to see a list of potential
> weaknesses from you, if you have the spare time.
Great. Well, I'd say that it would be good to write a specification or
to write a specification. Two great targets would be OpenPGP and OTR -
both would be useful in the browser. There are a lot of implementation
gotchas that will come up. I imagine that you'll find some crypto
operations aren't constant time when they should be, you'll also find
or anything based on the DOM, etc.
In any case, it's hard stuff but it's a good direction. Happy Hacking!
All the best,
More information about the liberationtech