Forgot your password?
typodupeerror
Encryption Programming Security IT

OpenPGP Implemented In JavaScript 167

Posted by Unknown Lamer
from the what-won't-someone-do-next dept.
angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail." A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)
This discussion has been archived. No new comments can be posted.

OpenPGP Implemented In JavaScript

Comments Filter:
  • Re:Yeah right (Score:5, Informative)

    by Chrisq (894406) on Tuesday November 22, 2011 @07:01AM (#38133886)
    Where do you get it that anyone but you has your private key? From TFA:

    A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

  • by Anonymous Coward on Tuesday November 22, 2011 @07:08AM (#38133916)

    Email encryption (OpenPGP and SMIME ) is done on the client side. People have to use to email client softwares ( outlook, thunderbird ..etc) to encrypt/sign their messages.
    The problem, what if you dont wanna use an email client ?
    The solution
                        1 - Do it manually ( copy, encrypt/sign , past)
                    OR - Implement it on the "new" client software (ie: the browser )
    The reason of javascript is that chrome extensions are written in that language ( and every browser support it ). Maybe other releases will be implemented in other languages that integrate to browsers ( Dart ? )

  • by Chrisq (894406) on Tuesday November 22, 2011 @07:14AM (#38133946)

    http://www.matasano.com/articles/javascript-cryptography/

    The above was written by someone without an understanding of public key cryptography. All you need to do is ensure that the crypto JavaScript is delivered through a secure channel. Once you have done that you can publish a public key on an insecure site and allow people to send data to you which cannot be intercepted. You can also let them generate a key pair and send you the public key, after which you can send them a response.

  • by Martin Blank (154261) on Tuesday November 22, 2011 @01:08PM (#38137522) Journal

    Hushmail lost a lot of credibility a few years ago when it turned out that its most commonly-used encryption method that ran server-side was delivered in a modified state at the request of government agencies. Yes, there are issues with trusting anything server-side, but its promises started sounding hollow when the CTO openly admitted it.

    If you built your own applet from the public source code, the interception was not an issue, but if you used the easier mechanism hosted by Hushmail, you were at risk of your mail being decrypted and turned over.

    http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ [wired.com]

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...