[liberationtech] pgp message encryption and decrypion using just a browser

Tue Feb 8 19:17:53 PST 2011

Jacob:

The main threat here are the black holes we all routinely dump
personal information into in the social web. We need an API available
in the DOM to encrypt text and messages. This needs to happen as so
much software development has moved to the browser - this is a logical
evolution.

I have not thought about the threat from XSS and other weaknesses a
tool like this will have to deal with -yet. I have only had time to
implement what you see in the demo. Signatures are no problem, I just
have not written the front end.

The DOM-accessible API is implemented in JavaScript (calling C
libraries via jsctypes) behind the scenes in the chrome-privileged
scope of Firefox. JavaScript (1.8.5) in Firefox allows for frozen
objects and properties to lock things down:
https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Object/freeze
- which I plan on using to keep external scripts from changing
properties in the API.

There is a lot of work here to identify threats - quite a large test
suite will be required. Another issue is what interface is secure
enough to   type the passphrase into, and where do you keep your
private key? Again, these things need to be figured out. For one, I
plan on creating a generic chrome-privileged prompt to type in the
passphrase. persistent storage is another matter altogether.

I work at Mozilla and plan on hitting up the security team for advice
on these issues as well. I would love to see a list of potential
weaknesses from you, if you have the spare time.

Cheers,

David

On Tue, Feb 8, 2011 at 8:24 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>
> Can you go into a little more detail? What is your threat model? How
> does this stand up to say, XSS? It seems rather dangerous to have a
> javascript API for encrypting and decrypting messages - also is it
> lacking signatures on purpose?
>
> I'm a bit curious if you plan to implement an actual PGP implementation
> - that would be useful, though the web browser seems like an awfully
> dangerous place to do it.