[liberationtech] Signed / Encrypted HTTP - was: Signed HTTP
Patrick Schleizer
adrelanos at riseup.net
Tue Mar 11 12:46:12 PDT 2014
Steve Schultze:
> Greetings all,
>
> A couple of years ago, I did some limited research on signed (but not
> encrypted) HTTP responses. I discovered that although it had been
> considered briefly by a few folks in the past, it never went anywhere. This
> continues to be surprising to me, given the ever increasing need to mirror
> content for a variety of reasons. Has anyone on the list thought about
> this? It seems that out community has a particularly strong case for such a
> thing.
>
> We sign software packages and emails. Why not http results? Ideally this
> would call for an IETF standard implemented in the major http servers,
> using certs already installed for https (if that is technically
> possible... I haven't thought through the crypto).
>
> Steve
As said, I preferred to sign my websites locally with gpg. Problem is,
nowadays we're all using fancy web applications (mediawiki, wordpress,
etc.) and the html is dynamically created on the server.
There is PGPHTML [1], but there are licensing problems. [2]
Signed content also should require re-singing after a configurable
amount of time to prevent downgrade and permanent freeze attacks
(replaying previously released, old signed messages). (A valid-until
field similar to [3].)
And while we're add it, why not support gpg encrypted http as well?
Websites, which would only be available to those who have the required
private keys to read it.
[1] http://www.sanface.com/pgphtml.html
[2] https://www.whonix.org/wiki/Dev/OpenPGP_Signed_Website#cite_note-2
[3]
http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
More information about the liberationtech
mailing list