[liberationtech] Fwd: Re: pgp message encryption and decrypion using just a browser
Frank Corrigan
email at franciscorrigan.com
Thu Feb 10 07:43:55 PST 2011
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer,
it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer,
it's not your computer anymore
http://technet.microsoft.com/en-us/library/cc722487.aspx
- - - - -
"Since your threat model seems to be based around a remote attacker,
this might not be entirely relevant; but extending the threat model to
an attacker with access to the computer that the browser is running on
seems like a logical next step."
- - - - -
Therefore wider use of LiveCD's might mitigate against some significant
risks:
-----
On January 20th, the TAILS LiveCD/USB team released an updated version,
0.6.2. It is available at http://amnesia.boum.org/news/version_0.6.2/.
https://blog.torproject.org/blog/january-2011-progress-report
I became familiar with LiveCD's using ubuntu (http://www.ubuntu.com)
after endless Window OS crashes and consequently have used it on
untrusted computers and via my own G3 Mobile Wifi (MiFi) + Public
open-WiFi - though of course I am not in a volatile situation, I do at
least appreciate some of the practicalities and being in London with
it's communities of Political Exile's, as they too also need to consider
developing Lib Tech skills, as they often act as important conduits for
friends, family and colleagues in repressive 'home' countries. Not
forgetting all those international students who often come and go from
repressive & surveillance states.
Blackhat 2011 DC: De-Anonymizing Live CDs
Posted Tue 01 Feb 2011 10:57:57 PM PST
http://amnesia.boum.org/security/audits/Blackhat_De-Anonymizing_Live_CDs/
Frank
On Wed, Feb 9, 2011 at 12:48 AM, David Dahl <david at ddahl.com> wrote:
> I have been wanting to follow up on this thread, which means writing
> some code.:)
>
> I have distilled the 3 methods needed to construct any kind of
> PGP-like web application. My new extension, DOMCrypt, attaches a
> 'crypt' property to each web page giving Javascript developers
> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
>
> All of the underlying crypto code is handled by NSS - the same library
> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
> C code under the hood.
>
> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
> is here: https://github.com/daviddahl/domcrypt
>
> Regards,
>
> David
>
> On Sun, Sep 26, 2010 at 6:21 AM, David Dahl <david at ddahl.com> wrote:
>> I have been experimenting with the JavaScript API for PKI that is
>> provided by Firefox Sync. The underlying bits are implemented in C++
>> (NSS), so it is pretty fast. I am slowly building up a toolkit for
>> messaging in a pseudo-anonymous fashion called "Droplettr" and am
>> looking for contributors. The entire thing is open source and is
>> designed to be used like a protocol instead of a walled garden.
>>
>> Repo: http://bitbucket.org/daviddahl/droplettr/
>>
>> Site: https://droplettr.com/
>>
>> Things are in a state of brokenness at the moment, as this is a side
>> research project of mine.
>>
>> Regards,
>>
>> David
>>
>> On Sat, Sep 25, 2010 at 12:00 AM, Danny O'Brien <DObrien at cpj.org> wrote:
>>> This really isn't what you want Frank (at all!), but its bizarreness plus tangential connection to your question was too good to miss:
>>>
>>> http://www.links.org/?p=993
>>>
>>> It's TLS (including client-side certificates), re-implemented in in-browser Javascript. Ben's point is that such an implementation allows greater experimentation with security UI, which I think everyone agrees is the current Hard Problem.
>>>
>>> d.
>>>
>>> On Sep 23, 2010, at 11:08 PM, Frank Corrigan wrote:
>>>
>>>> For some time I have been investigating the availability of web pages
>>>> that provide easy to use password creation and message encryption
>>>> functions, which only depend upon web browsers inbuilt javascript
>>>> capabilities and can therefore be downloaded and used off line. And
>>>> works across all common OSs and browsers.
>>>>
>>>> Examples are
>>>> https://www.pwdhash.com
>>>> as one of many options for password creation
>>>>
>>>> and http://www.hanewin.net/encrypt/PGcrypt.htm
>>>> to encrypt messages using a recipients pgp Public key.
>>>>
>>>> The help I am requesting is whether anyone knows of an online resource,
>>>> that meets the above criteria, that can not only encrypt text using a
>>>> pgp Public key but also has a facility to decrypt a pgp message with the
>>>> recipients Private key?
>>>>
>>>> I am aware of FireGPG:
>>>> http://getfiregpg.org/s/home
>>>>
>>>> which is excellent, though sadly now discontinued, but it is tied to
>>>> Fire Fox through an add-on and it's functions are dependent upon a local
>>>> install of GPG.
>>>>
>>>> Thanks
>>>> Frank
>>>> _______________________________________________
>>>> liberationtech mailing list
>>>> liberationtech at lists.stanford.edu
>>>>
>>>> Should you need to change your subscription options, please go to:
>>>>
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>>
>>> Should you need to change your subscription options, please go to:
>>>
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu
Should you need to change your subscription options, please go to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once you click
above) next to "would you like to receive list mail batched in a daily
digest?"
You will need the user name and password you receive from the list
moderator in monthly reminders.
Should you need immediate assistance, please contact the list moderator.
Please don't forget to follow us on http://twitter.com/#!/Liberationtech
More information about the liberationtech
mailing list