Forgot your password?
typodupeerror
Encryption Programming Security IT

OpenPGP Implemented In JavaScript 167

Posted by Unknown Lamer
from the what-won't-someone-do-next dept.
angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail." A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)
This discussion has been archived. No new comments can be posted.

OpenPGP Implemented In JavaScript

Comments Filter:
  • Who knew? (Score:4, Insightful)

    by Pieroxy (222434) on Tuesday November 22, 2011 @05:36AM (#38133800) Homepage

    who knew Javascript had a bignum library and a number of cipher implementations

    Those that know JavaScript?

    And I don't mean the kids copy/pasting stuff found on the web, but real people working with JavaScript and having knowledge of the language, libraries, etc.

    The biggest problem with JavaScript is that the world is plagued with kiddos that think they know JavaScript when all they know is how to search their needs on Google and copy/paste from there.

    • Re:Who knew? (Score:4, Insightful)

      by LingNoi (1066278) on Tuesday November 22, 2011 @05:42AM (#38133818)

      Ah yes, the stereotypical programmer.. You're either a genius or an idiot. You must be real fun to work with.

      • Re:Who knew? (Score:5, Insightful)

        by Zero__Kelvin (151819) on Tuesday November 22, 2011 @08:06AM (#38134476) Homepage
        The fact remains that a large majority of programmers today would do the world a service by changing careers. The industry is flooded with programmers who cannot program [codinghorror.com].
        • Re:Who knew? (Score:4, Interesting)

          by aztracker1 (702135) on Tuesday November 22, 2011 @10:17AM (#38135806) Homepage
          I'm afraid I have to agree on this one... Recently a programmer was let go because he simply couldn't creatively code his way out of a paper bag. Of course now I'm stuck picking up the slack, but 1/3 of my time was spent helping the other guy, and most of what he got done is what I actually did.
    • Seconded. More inane language bias on display.
    • by Xner (96363)
      Actually, since we're on topic now, I have been looking for a good way to get into JavaScript that steers clear of the cargo cult mentality. Do you have any pointers for books, tutorials etc?
      • Re:Who knew? (Score:5, Interesting)

        by Anonymous Coward on Tuesday November 22, 2011 @06:37AM (#38134030)

        The short book, JavaScript: The Good Parts, by Douglas Crockford ....

        • by Anonymous Coward on Tuesday November 22, 2011 @07:37AM (#38134326)

          The short book, JavaScript: The Good Parts, by Douglas Crockford ....

          A book on JavaScipt's good parts is short?! I am shocked, sir!

      • by marsu_k (701360)
        This book [amazon.com] contains what it says on the tin.
      • This is from my own blog... JavaScript Books That Should Be Required Reading [frugalcoder.us], and still pretty relevant.. there are also a couple of APress books for more advanced topics. Also, if you are interested in the language itself, getting into NodeJS, or MongoDB isn't a bad way to do it out of the browser.
  • Could be used for web forums too.

  • by Anonymous Coward on Tuesday November 22, 2011 @05:57AM (#38133860)

    http://www.matasano.com/articles/javascript-cryptography/

    • No, it isn't. This article implicitly assumes user trusts server with everything or not at all. Not a case with GMail: in most attack models I can perfectly assume Google will deliver me correct Javascript code over SSL, but never trust it with securing my email content. Account hijacks are quite usual and replacing code on GMail servers is completely another thing.
      • That is, if you trust SSL and the certificate things, and trust that DigiNotar event can't happen, that there's no evil government running their own root CA, etc. To me, that's a big IF !
    • by Chrisq (894406) on Tuesday November 22, 2011 @06:14AM (#38133946)

      http://www.matasano.com/articles/javascript-cryptography/

      The above was written by someone without an understanding of public key cryptography. All you need to do is ensure that the crypto JavaScript is delivered through a secure channel. Once you have done that you can publish a public key on an insecure site and allow people to send data to you which cannot be intercepted. You can also let them generate a key pair and send you the public key, after which you can send them a response.

      • by Nerdfest (867930)
        This is something that webmail has need for ages. Encrypted email is relatively easy to implement, and is free, but webmail makes it difficult to do without handing your keys over to a third party (GMail, HotMail, etc). This solves the problem nicely. It would be great to see this, or something similar widely adopted.
      • by Lennie (16154)

        A secure channel: like a for example a browser extension loaded from your local HDD/SDD ? Which this is.

      • by yuhong (1378501)

        Don't forget XSS attacks. XHTML can help here by its strict error handing, and I have suggested logging XML errors to a server before.

  • by Viol8 (599362) on Tuesday November 22, 2011 @06:01AM (#38133888)

    In the last year or so suddenly everyone seems to write everything in javascript whether appropriate or not. So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate browsers with their own quirks and bugs, poor performance and ultimately limited functionality.

    So other than "to see if it can be done" what exactly is the point of these projects? However much webdevs might like it to happen, javascript won't be replacing Java, C++ or C# anytime soon for serious development.

    • by Anonymous Coward

      I'm pretty sure it's appropriate to write a browser extension in javascript, given that its the only language Chrome allows.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Email encryption (OpenPGP and SMIME ) is done on the client side. People have to use to email client softwares ( outlook, thunderbird ..etc) to encrypt/sign their messages.
      The problem, what if you dont wanna use an email client ?
      The solution
      1 - Do it manually ( copy, encrypt/sign , past)
      OR - Implement it on the "new" client software (ie: the browser )
      The reason of javascript is th

    • by Anonymous Coward

      Plagiarist! Almost this exact comment was made 20 years ago:

      In the last year or so suddenly everyone seems to write everything in C whether appropriate or not. So these guys really think the future of development lies in the windows interface which will what, replace the command-line as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate GUIs with their own quirks and bugs, poor performance and ultimately limited functionality.

      So other than "to see if it

      • I think you mean thirty?

        Twenty years ago is so, '90s.

      • by Necroman (61604)

        Lets play the fill in the blank game!

        COBOL compiles to _________.
        FORTRAN compiles to _________.
        C compiles to ___________.
        Javascript compiles to ___________.

        There really isn't a good way to compile to Javascript because of the amount the backend work that is needed for it to run (garbage collection anyone). They could try to do what "Go" does and include the garbage collection functionality in the system libraries or in the executable.

        Also, no sane OS dev would ever use Javascript for their language of choi

        • Nothing is forcing anyone to use the "cruft" though.. there are corner cases in every language that can be considered *very* bad form.
    • Indeed. What we need is a low-level language without garbage collection.

      Difficult to program by humans.
      Easy to target by a compiler back-end.

      Give us that, and open-source will give us all the tools and libraries to bring webdevelopment to the next level.

    • by slim (1652)

      So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen.

      Altogether replace? For everyone? Maybe not.

      But while I use MS Office for my job, *all* my personal word-processing and spreadsheeting is done in Google Docs, and *all* my personal email has been in GMail ever since I got my beta invite -- and I'm not alone. There are flaws in these applications, but they're all outweighed by the ease of moving between computers, and sharing documents with other people.

      You don't have to kill your competition in order to be worth doing.

      • by Viol8 (599362)

        "ease of moving between computers,"

        Who moves between computers to do documentation? I mean really, is your company so skint it can't afford laptops and you have to work in netcafes?

        • by slim (1652)

          I said it was for personal stuff. I can get at my Google Docs on my laptop, on my home desktop, on my partner's PC, on my parents' PC... anywhere.

          That said, if I ran my own company, I'd use Google Docs too.

    • It's more portable than anything else, and it's capable of more than popups. I can only see this trend utilizing processing power better than the (now fading) model of "do it all on the server". How many more people will use PGP if it's built into their webmail client? They won't need to install anything, configure anything - just use.

      There are a number of things I'd like to push to the browser. With accompanying server fallbacks, browser processing could greatly reduce my server load which would increa

    • Javascript is the only language actually delivering on the promise of "write-once-run-anywhere." Well, "anywhere" that has a web browser, which is just about any device that does human interaction these days. All the other languages you mentioned have numerous environmental dependencies (separately installed run-times, OS specific conditionals, browser plug-ins, compiler specifics, etc.). Javascript sucks in many ways, but it sucks less than the alternatives for building an application quickly that can wor
  • I encountered what was at least a serious attempt to do exaxtly the same thing in the mid-90s. And I used it, too. Together with a colleague. We both worked in a tiny outfit where the boss was meddling in corruption with local politicians and corporate local heroes. Having such a thing as PGP usable in browsers and email clients truly was PGP to us: pretty good protection ( for the evidence we found against our boss ).
    • Wait, you mailed encrypted evidence to the clients and would have given them the key in case stuff turned bad?

      Interesting idea, I think it would have been better to mail that to newspapers and maybe directly file a complaint. Though, your business. ... Well, on second thought "get a new job" would have been an appropriate solution, too.

  • Key management (Score:4, Interesting)

    by DrXym (126579) on Tuesday November 22, 2011 @06:09AM (#38133918)
    So where do the keys get stored? If it's the HTML web storage, does that mean that you can only store keys per domain? Is that even advisable? And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

    I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.

    • by Anonymous Coward on Tuesday November 22, 2011 @07:47AM (#38134374)

      So where do the keys get stored?

      They get stored in the Article.

      does that mean that you can only store keys per domain?

      That is also in the Article.

      And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

      Try reading the Article.

      I think for reasons of trust that if you were to use js PGP

      And I think that before you start spouting off with an opinion, maybe you should, you know, read the article so you have a clue what the fuck you're talking about.

    • >And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

      A remote site wouldn't be signing something for you given appropriate design. A remote site encrypting something for you would use your public key, which is not a secret.

    • "I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity."

      I give you Convergence: http://convergence.io/ [convergence.io]

      And the OWASP Keynote where it was presented: http://www.ustream.tv/recorded/17457016/ [ustream.tv]

      • by DrXym (126579)
        Convergence sounds close enough to what I suggested in another thread to make me think it's viable. But only if it becomes more than an extension - every modern browser needs to sign off on the concept and implement the core functionality as part of itself. I also wonder if notaries are enough, or whether it should be a bona fide web of trust. On another thread I suggested that trust for a company like Toys R Us would have more relevance to a visitor if it were signed by Lego, Hasbro, Microsoft, Visa etc. t
  • Have been working on something similar very very slowly: a single ASP.Net web page (which could easily be ported to PHP no doubt) that acted as a proxy web browser that encrypted its traffic using a GPG key randomly generated (or provided by the user). It'd be text only ( = no accusations of being used for child pr0n or for teh pirates) but the idea would be that anyone could drop it into their own website without having to configure it and instantly people living under opressive censoring regimes (China,Ir

  • by dingen (958134) on Tuesday November 22, 2011 @06:25AM (#38133994)
    News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?
    • Because most of the internet users still use "IE8" or less and therefor see JavaScript as something which sucks, is slow and can't find it's own tail?
    • Amen. Soon, JS will run the stove in my living room. Version 2.0 will also run my lover, making her sit really elegantly with a book on the couch facing that stove.
      • Unfortunately it won't be until v3 that it can actually get you to realize that the purpose of a lover is something other than to sit elegantly with a book on the couch facing the stove, and even a massively parallel supercomputer will never get you an actual lover, thereby making the code useless.
    • by Chrisq (894406)

      News flash: turing-complete programming languages can be used to created anything.

      That really would be a newsflash. WHat about the halting problem? [wikipedia.org] Or the P=NP problem? [wikipedia.org]

      • by Splab (574204)

        What about them?

        • by Chrisq (894406)

          What about them?

          It really would be a newsflash if they could be solved in a Turing-complete language.

          • by dingen (958134)
            What does that have to do with the fact you can create any program with a Turing-complete programming language?
            • by Chrisq (894406)

              What does that have to do with the fact you can create any program with a Turing-complete programming language?

              Nothing, but was responding to GGP post saying that they could do anything.

    • Indeed, it would be way more cool if we would have a compiler back-end that targets javascript.

    • News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?

      Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy. It's probably possible to code it in brainfuck [muppetlabs.com], chef [dangermouse.net], lolcode [lolcode.com] or a bunch of rocks [xkcd.com] but no-one in their right mind would want to.

      What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to h

      • by dingen (958134)

        Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy.

        Doing PGP in Javascript isn't all that different from doing it in any other programming language. The only single difference between doing a random project in Javascript versus Perl, Ruby, Python or whatever is that since all the browsers run JS, the project is accessible to probably the largest possible user base. That makes JS cool to do a project in. But since this is true for everything done in JS, I really don't think it needs to be promoted on the front page every single time someone decides to develo

      • by cpuh0g (839926)

        What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to have.

        Apple doesn't give a shit if you have PGP on your iPhone or not. There are some decent PGP apps available for a fair price. http://ipgmail.com/ [ipgmail.com] for example.

  • I'm sure cryptologist's agree! What could possibly go wrong?!
  • by fwice (841569) on Tuesday November 22, 2011 @07:08AM (#38134166)

    How is this different from FireGPG? With the exception that this is still in development versus the stall in FireGPG?

    • by crush (19364)

      FireGPG has to call a local copy of GPG outside of the browser. This GPG4Browsers all happens within the browser. The eventual goal seems to be to be able to provide OpenPGP even in environments where GPG is not installed on the OS and the user only has rights to run a web-browser.

      The authors are aware of the following problems in the _prototype_:
      - this uses HTML5 local store which can't be cleared securely
      - it lacks validation of certificates

  • by Anonymous Coward

    Generally speaking, porting cryptographic implementations between systems is not as easy as "do both implementations produce the same output for the many test inputs tried?".

    Proper implementations will mitigate against side channel attacks by:

    • Ensuring loops within crypto implementations execute in constant time regardless of the input (both plaintext and key)
    • Ensuring keypresses are obtained on a poll cycle as opposed to being handled on each interrupt (if the key is inputted via keyboard)
    • Ensuring that keypr
  • If it's using JavaScript, they should call this version OpenPBP.

  • I don't see why all the fuss is made about JS's capabilities. Coming from a very strong Perl/Unix background I see the appealing side of scripting. But if I take into account business programming, JS makes me shiver to the spine.

    I grew up being generally interested in CS and specifically in programming. Most programmers I meet hardly ever cease to amaze me at the nonchalance which they adopt when writing code. You (dis-) qualify yourself with me as soon as the argument of "well it works" pops up. Program
    • the fuzz is that it can run in the browser sandbox, a requirement for chrome extensions, and for firefox's "restartless" extensions/jetpack (not for the good old ones)

    • by dingen (958134)

      Why use a scripting language to program complex software when other better maintainable technologies are around?

      Because of all the devices running a JS-capable browser these days, meaning that your JS-powered application is accessible to virtually every citizen of this planet.

    • by slim (1652)

      The appeal of scripting languages in business apps, to me, is embedding. I don't really care whether it's Javascript, Python, Lua, Groovy or whatever else. Write the core of your application in Java or C, embed a script interpreter, bind some classes/functions and program the high level logic in the more readable, malleable scripting language.

      This doesn't mean that non-programmers can be trusted to write those parts. But it means you can free up cognitive load when writing the business logic; the scripting

  • This will make basic encrypted messaging tough to block by oppressive regimes like Iran and China. This is good for basic personal freedom.

If the code and the comments disagree, then both are probably wrong. -- Norm Schryer

Working...