[liberationtech] pgp message encryption and decrypion using just a browser
Brandon Wiley
brandon at blanu.net
Mon Sep 27 08:57:41 PDT 2010
This is very cool. If you were to use pure Javascript crypto and
automatically detect and upgrade to native when the extension is installed
then this would broaden your potential user base.
I have built a similar system using pure Javascript implementations of RSA
and AES which I can send you if you'd like. My original goal was to develop
an end-to-end (browser-to-browser) encrypted fork of StatusNet (a open
source microblogging platform). The benefit would be that the service
couldn't leak your private information (since they do not have it in
unencrypted form) except through an explicit attack where they try to
intercept your private key (PR disaster). I found the problems to be with
PKI as usual. When HTML5 client-side storage is more mature and has
widespread adoption, this could be a suitable way to store private keys,
although that of course destroys portability between computers. The other
PKI issue is that the usual public key cryptography primitives don't work so
well for one-to-many publication, requiring a separate encrypted message for
each recipient. This is somewhat awkward to incorporate into an existing
microblogging platform.
Anyway, if you are interested in doing a pure Javascript version of your
code, I have cleaned up the publicly available Javascript implementations of
RSA, AES, SHA1, and Base64 and you are welcome to them.
On Mon, Sep 27, 2010 at 8:47 AM, David Dahl <david at ddahl.com> wrote:
> On Mon, Sep 27, 2010 at 1:45 AM, Frank Corrigan
> <email at franciscorrigan.com> wrote:
>
> > I am looking for online pgp decryption resources that are as straight
> > forward as the hanewin encryption facility, as a backup, to when it is
> > not possible to access GPG software or install such without Admin
> > rights.
> >
> Indeed, this is a drawback. Eventually, the crypto bits will no doubt
> be added to the browser's window object itself.
>
> I have written it so that the extension only wraps the native speed
> encryption API, and while you have to use a tiny extension (80k), it
> is calling into C++ native code that is very fast.
>
> The "WebAPI" bits (
> https://bitbucket.org/daviddahl/droplettr/src/tip/html5site/js/droplettr.js
> ) are independent from the UI bits (
>
> https://bitbucket.org/daviddahl/droplettr/src/tip/html5site/js/droplettr-ui.js
> )
>
> > David, Concerning https://droplettr.com/ this is something I am unable
> > to evaluate and it does not appear to meet the criteria of being able to
> > use fully offline and is not based upon one main page that can be
> > downloaded as a full web page, with all it's accompanying Javascript
> > dependencies. I have not mentioned it explicitly but I am looking for
> > resources based upon open-source.
>
> It is open source, all of the client and server code is here:
> https://bitbucket.org/daviddahl/droplettr - anyone can and should run
> their own server. It is in a state of flux right now as I need to get
> it ready for Firefox 4.
>
> Additionally, it is heavily jQuery-based, making it easy for web
> developers to hack on. The concept is an experiment in adding an
> encryption API to the DOM: window.droplettr.encryptMessage(aSubject,
> aContent, aPubKey), window.droplettr.decryptMessage(aMessage, aPubKey,
> aCryptoObj)
>
> I will be running a server once all of this is deploy-able, but I am
> not interested in being a high-volume service provider.
>
> Cheers,
>
> David
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20100927/f659f00f/attachment.html>
More information about the liberationtech
mailing list