[liberationtech] pgp message encryption and decrypion using just a browser
Jacob Appelbaum
jacob at appelbaum.net
Tue Feb 8 18:24:02 PST 2011
On 02/08/2011 03:48 PM, David Dahl wrote:
> I have been wanting to follow up on this thread, which means writing
> some code.:)
>
> I have distilled the 3 methods needed to construct any kind of
> PGP-like web application. My new extension, DOMCrypt, attaches a
> 'crypt' property to each web page giving Javascript developers
> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
>
> All of the underlying crypto code is handled by NSS - the same library
> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
> C code under the hood.
>
> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
> is here: https://github.com/daviddahl/domcrypt
>
Hi David,
Can you go into a little more detail? What is your threat model? How
does this stand up to say, XSS? It seems rather dangerous to have a
javascript API for encrypting and decrypting messages - also is it
lacking signatures on purpose?
I'm a bit curious if you plan to implement an actual PGP implementation
- that would be useful, though the web browser seems like an awfully
dangerous place to do it.
All the best,
Jacob
More information about the liberationtech
mailing list