[liberationtech] Seeking help removing me from this list

Thu Feb 10 08:34:19 PST 2011

Hello all.
While I am very interested in the topic, the number and density of emails that comes via this list is overwhelming.
I need to be removed. I have already tried to remove myself via the site at Stanford. This has not worked.
Can someone please aid me?

Thanks!

Andrea H. Tapia, Ph.D.
Associate Professor of Information Sciences and Technology
Affiliate Associate Professor of (1) Labor and Industrial Relations, (2) Sociology and (3) Science and Technology Studies
Penn State University

Check out my pages!
http://andreatapia.net
http://cohort.ist.psu.edu
http://evosta.ist.psu.edu
http://emerse.ist.psu.edu
http://ist.psu.edu

-----Original Message-----
From: liberationtech-bounces at lists.stanford.edu on behalf of David Dahl
Sent: Thu 2/10/2011 11:21 AM
To: Anders Sundman
Cc: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] pgp message encryption and decrypion using just a browser

Anders:

Thanks! The threat of physical access will sink just about any
precautions. Protecting against that is more a matter of adding delete
timeouts to your in-memory passphrases and private keys. I have been
thinking about creating a self-destruct timeout as well - so that if
you have not used the client application for X days or hours, the next
launch of the browser will delete all persistent data.

I have basically taken the approach (with my experiments on
droplettr.com) of openssh, as they just dump the public and private
key in your home directory with the warning "don't lose your
computer!". A better solution is needed.

Thanks for the pointer on destroying the key and passphrase in the
decrypt function. I need more eyeballs on this initial bit of code.
You are correct, they should be deleted asap.

Cheers,

David

On Thu, Feb 10, 2011 at 3:17 AM, Anders Sundman
<sundman.anders at gmail.com> wrote:
> Great project! I hope you get a lot of useful feedback from people on
> this list and elsewhere.
>
> Since your threat model seems to be based around a remote attacker,
> this might not be entirely relevant; but extending the threat model to
> an attacker with access to the computer that the browser is running on
> seems like a logical next step.
>
> In that case you will have to struggle with a common problem with any
> type of crypto application. How to store the passphrase / priv.key in
> a way that makes it as hard as possible for an attacker with access to
> the computer to recover that data.
>
> In the function:
>
> function decrypt()
> {
>  var cryptoObj = {
>    privKey: window.crypt.privKey,
>    passphrase: document.getElementById("passphrase").value,
>    aSalt: window.crypt.salt,
>    aIV: window.crypt.iv
>  };
>  var decrypted =
>    window.crypt.decrypt(document.currentMessage,
> window.crypt.pubKey,cryptoObj);
>  document.getElementById("decrypted").innerHTML = decrypted;
> }
>
> you call: decrypt: function DAPI_decrypt(aMsg, aPubKey, aCryptoObj) { [...]
>
> This will off course put the privkey + passphrase in memory (there's
> really no way around that). I'm no JavaScript expert so I might be
> dead wrong here, but since JS is garbage collected, the cryptoObj
> won't be destroyed right away (and the sensitive data will linger in
> RAM longer that necessary). Setting the privKey/passphrase = 0 after
> the decrypt call won't solve the problem entirely, but at least
> tighten the vulnerable time frame. This will also make the risk of the
> data getting paged to disc smaller (but won't eliminate it). I'm not
> sure how Firefox handles the decrypted document once it's displayed,
> but you would probably want to look in to stuff like caching, etc..
> The torbutton design doc might com in handy:
> https://www.torproject.org/torbutton/en/design/#id2934378
>
> All the best,
> Anders
>
>
> On Wed, Feb 9, 2011 at 12:48 AM, David Dahl <david at ddahl.com> wrote:
>> I have been wanting to follow up on this thread, which means writing
>> some code.:)
>>
>> I have distilled the 3 methods needed to construct any kind of
>> PGP-like web application. My new extension, DOMCrypt, attaches a
>> 'crypt' property to each web page giving Javascript developers
>> crypt.generateKeyPair(), crypt.encrypt() and crypt.decrypt().
>>
>> All of the underlying crypto code is handled by NSS - the same library
>> used for the SSL/HTTPS. This is not a 'native JS' solution. It is fast
>> C code under the hood.
>>
>> See http://mozilla.ddahl.com/domcrypt/demo.html for a demo, the code
>> is here: https://github.com/daviddahl/domcrypt
>>
>> Regards,
>>
>> David
>>
>> On Sun, Sep 26, 2010 at 6:21 AM, David Dahl <david at ddahl.com> wrote:
>>> I have been experimenting with the JavaScript API for PKI that is
>>> provided by Firefox Sync. The underlying bits are implemented in C++
>>> (NSS), so it is pretty fast. I am slowly building up a toolkit for
>>> messaging in a pseudo-anonymous fashion called "Droplettr" and am
>>> looking for contributors. The entire thing is open source and is
>>> designed to be  used like a protocol instead of a walled garden.
>>>
>>> Repo: http://bitbucket.org/daviddahl/droplettr/
>>>
>>> Site: https://droplettr.com/
>>>
>>> Things are in a state of brokenness at the moment, as this is a side
>>> research project of mine.
>>>
>>> Regards,
>>>
>>> David
>>>
>>> On Sat, Sep 25, 2010 at 12:00 AM, Danny O'Brien <DObrien at cpj.org> wrote:
>>>> This really isn't what you want Frank (at all!), but its bizarreness plus tangential connection to your question was too good to miss:
>>>>
>>>> http://www.links.org/?p=993
>>>>
>>>> It's TLS (including client-side certificates), re-implemented in in-browser Javascript. Ben's point is that such an implementation allows greater experimentation with security UI, which I think everyone agrees is the current Hard Problem.
>>>>
>>>> d.
>>>>
>>>> On Sep 23, 2010, at 11:08 PM, Frank Corrigan wrote:
>>>>
>>>>> For some time I have been investigating the availability of web pages
>>>>> that provide easy to use password creation and message encryption
>>>>> functions, which only depend upon web browsers inbuilt javascript
>>>>> capabilities and can therefore be downloaded and used off line. And
>>>>> works across all common OSs and browsers.
>>>>>
>>>>> Examples are
>>>>> https://www.pwdhash.com
>>>>> as one of many options for password creation
>>>>>
>>>>> and http://www.hanewin.net/encrypt/PGcrypt.htm
>>>>> to encrypt messages using a recipients pgp Public key.
>>>>>
>>>>> The help I am requesting is whether anyone knows of an online resource,
>>>>> that meets the above criteria, that can not only encrypt text using a
>>>>> pgp Public key but also has a facility to decrypt a pgp message with the
>>>>> recipients Private key?
>>>>>
>>>>> I am aware of FireGPG:
>>>>> http://getfiregpg.org/s/home
>>>>>
>>>>> which is excellent, though sadly now discontinued, but it is tied to
>>>>> Fire Fox through an add-on and it's functions are dependent upon a local
>>>>> install of GPG.
>>>>>
>>>>> Thanks
>>>>> Frank
>>>>> _______________________________________________
>>>>> liberationtech mailing list
>>>>> liberationtech at lists.stanford.edu
>>>>>
>>>>> Should you need to change your subscription options, please go to:
>>>>>
>>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>> _______________________________________________
>>>> liberationtech mailing list
>>>> liberationtech at lists.stanford.edu
>>>>
>>>> Should you need to change your subscription options, please go to:
>>>>
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>>
>> You will need the user name and password you receive from the list moderator in monthly reminders.
>>
>> Should you need immediate assistance, please contact the list moderator.
>>
>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20110210/3281ad5b/attachment.html>