Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] PGP is hard to use and needs stuff installed on your computer. Use PassLok instead.

Julian Oliver julian at
Sun Jul 28 02:23:52 PDT 2013

..on Fri, Jul 26, 2013 at 03:59:34PM -0500, ddahl at wrote:
> You should use ContentSecurityPolicy to help avoid XSS attacks:

The page appears to be entirely static to me, which I thought was one of the
advantages of this implementation. More so, it can be used offline, in a locally
hosted session.



> On Fri, 26 Jul 2013 15:42:02 -0500, Francisco Ruiz <ruiz at> wrote:
> > Scenario: you, Alice, realize you're under NSA surveillance. You need to
> > get a crucial bit of information to your friend Bob, right away.
> > You've been using PGP, but now you suspect the NSA may have installed a bug
> > on your machine. Your keystrokes are being recorded.
> > 
> > What can you do? Use PassLok instead.
> > 
> > I wrote PassLok with three guiding principles in mind:
> > 1. Absolutely nothing should be installed or even written in the computer.
> > Alice should be able to go to the local library or borrow someone else's
> > smartphone, and leave no traces behind.
> > 2. Best security available. No compromises.
> > 3. Graphical interface. Only one screen, as clean as possible.
> > 
> > Therefore, PassLok is written entirely in javascript. Once you load the
> > page at ( redirects you
> > there), you can save the file and you have PassLok even offline. You can
> > view the source and convince yourself that it is not connecting with any
> > server. If you know some cryptography, you can see that it is using the
> > well-known SJCL routines for AES encryption/decryption and elliptic curve
> > functions. Since the elliptic curves implemented in the current version of
> > SJCL only go up to the 384-bit NIST curve, I added the 521-bit NIST curve
> > (equivalent to a 15000-bit RSA key in predicted security) so that PassLok
> > uses that as a default. Even at 521 bits, the public keys are small, as you
> > can see from my lock (public key) below.
> > 
> > PassLok performs public-key cryptography using the Diffie-Hellman key
> > exchange rather than RSA, so you can use whatever secret key you want.
> > Hopefully something that is both very hard to guess and easy to remember,
> > so you never have to write it down. PassLok will help you to come up with a
> > strong key, but won't force you in any way.
> > 
> > PassLok can sign and verify signatures, too (many PGP implementations, such
> > as Mailvelope, cannot), and can also include a second secret message under
> > a separate key, to beat the "rubberhose attack." If you are not sure about
> > the authenticity of something, PassLock can make a short ID that you can
> > read over the phone. All of it from a single screen.
> > 
> > I want people to use PassLok and uncover any bugs it might still have,
> > before I move on to a Gmail plugin based on its engine. I believe it is
> > already very secure and easy to use by those who know a little
> > cryptography. Hopefully the metaphor used throughout PassLok, about locks
> > and keys rather than private/public key pairs, will also make it usable by
> > novices.
> > 
> > I'll appreciate any feedback you can give me. The link is repeated at the
> > bottom.
> > 
> > Thanks!
> > 
> > -- 
> > Francisco Ruiz
> > Associate Professor
> > MMAE department
> > Illinois Institute of Technology
> > 
> > my PassLok lock:
> > 
> > PL12lok=KpYv+bqJ7pq0eqC664UlIcwfl1P8f8p12NUqFdg2bQ2gTQTBuOo09BQs3GGiYOQUuQmtnoceAxJoSzjvYEYOM0q=PL12lok
> > 
> > get the PassLok privacy app at:
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at or changing your settings at
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at or changing your settings at

Julian Oliver

More information about the liberationtech mailing list