OpenPGP Implemented In JavaScript 167
angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail."
A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)
Isn't encryption in JavaScript considered harmful? (Score:3, Interesting)
http://www.matasano.com/articles/javascript-cryptography/
Key management (Score:4, Interesting)
I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.
Re:Who knew? (Score:5, Interesting)
The short book, JavaScript: The Good Parts, by Douglas Crockford ....
Re:Who knew? (Score:5, Interesting)
It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.
I used to think this, but I don't any more. The aforementioned Crockford book is the bible on this.
There is a "pleasant" Javascript community, and what they have done is to separate Javascript into three parts:
- the good parts -- use them
- the bad parts -- avoid using them altogether
- the missing parts -- build acceptable workarounds to these using what's available
For example, Javascript has a horrible tendency for scripts to pollute the global variable namespace. The community came up with the CommonJS module convention, which solves the problem rather neatly.
It's not that easy: side channel attacks (Score:2, Interesting)
Generally speaking, porting cryptographic implementations between systems is not as easy as "do both implementations produce the same output for the many test inputs tried?".
Proper implementations will mitigate against side channel attacks by:
I'm skeptical as to whether a web browser implementation (in JavaScript, not part of the browser itself) can address the issues listed above.
Re:Who knew? (Score:4, Interesting)