[liberationtech] pgp message encryption and decrypion using just a browser

Mon Sep 27 01:45:20 PDT 2010

Steve you are of course right that decryption raises issues that may be
more problematic than using the like of hanewin's [1] encryption
facility. I always use the stance of a research based sceptic when I am
using or evaluating encryption tech, hanewin's implementation also
allows pgp text encryption off line and when the full html page is
downloaded all the dependent Javascript is as well, so at least it can
be inspected and analysed. (Though I will myself not have the knowledge
to know what I am looking at, when it comes to js code!)

Using the likes of https://www.pwdhash.com/ also requires trusting it's
handling of password data, but as with hanewin, it can be used off line.

In the past I have used horde.org's webmail, which provides Encrypting,
signing, decrypting and verifying of signed and encrypted messages
(PGP/GPG and S/MIME, using such requires trusting the host and it's
terms and conditions. So even if trust exists in the underlying  tech
and host, trust still has to take on numerous issues, such as
monitoring, access and disclosure to law enforcement
agencies.(http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/)

I am looking for online pgp decryption resources that are as straight
forward as the hanewin encryption facility, as a backup, to when it is
not possible to access GPG software or install such without Admin
rights.

David, Concerning https://droplettr.com/ this is something I am unable
to evaluate and it does not appear to meet the criteria of being able to
use fully offline and is not based upon one main page that can be
downloaded as a full web page, with all it's accompanying Javascript
dependencies. I have not mentioned it explicitly but I am looking for
resources based upon open-source.

To check whether hanewin's can be trusted, it is possible to to use it
to just create an encrypted text message (off line) with one's own
Public key and then decrypt with via GPG. If there was an underlying
concern about the Javascript I could test it out through a disposable VM
or Sandbox or Live CD, save the encrypted message and then reboot and
send the saved message, but this would only be to check things out. 

I do think such a resource could easily be developed and provided
through a trusted third party, which has resources to mitigate against
compromise, which I assume the like of https://www.pwdhash.com/ has.

Thanks
Frank

[1] http://www.hanewin.net/encrypt/PGcrypt.htm

----- Original message -----
From: "Steve Weis" <steveweis at gmail.com>
To: "Frank Corrigan" <email at franciscorrigan.com>
Cc: "Danny O'Brien" <DObrien at cpj.org>,
liberationtech at lists">liberationtech at lists.stanford.edu
Date: Sun, 26 Sep 2010 15:35:34 -0700
Subject: Re: [liberationtech] pgp message encryption and decrypion using
just a browser

Hi Frank. How would you trust the Javascript that decrypts the
message? You would need to give that code your secret key, so must
trust it completely.

That Javascript code would be hosted on a third-party site that could
be malicious, compromised, or incompetent. You could audit the code,
but the site could silently change the it any time in the future.
Signing it doesn't help unless you already have some trusted code to
verify the signature. You could hypothetically save a local trusted
version of the Javascript and run it, but at that point you might as
well just use GPG.

I think using client-side Javascript for crypto is generally a bad
idea. I've only seen one case where it made sense, which was to
offload public-key operations onto clients. That was strictly for
performance reasons and did not increase the risk above what the site
was already doing.

On Sun, Sep 26, 2010 at 12:45 AM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> ... I was and I still
> am keen to to identify an online, akin to hanewin's, but one that can
> equally Decrypt a text based pgp message. Of course creating encryption
> keys does require software in addition to a web browser. But I still do
> think it would been very helpful to many to be able to access an online
> resource for the sending and reading of pgp messages, without the need
> of additional software and one that can be used off-line and downloaded
> locally or kept on a usb stick for greater portability.