OpenPGP Implemented In JavaScript 167
angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail."
A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)
Who knew? (Score:4, Insightful)
who knew Javascript had a bignum library and a number of cipher implementations
Those that know JavaScript?
And I don't mean the kids copy/pasting stuff found on the web, but real people working with JavaScript and having knowledge of the language, libraries, etc.
The biggest problem with JavaScript is that the world is plagued with kiddos that think they know JavaScript when all they know is how to search their needs on Google and copy/paste from there.
Re:Who knew? (Score:4, Insightful)
Ah yes, the stereotypical programmer.. You're either a genius or an idiot. You must be real fun to work with.
Re:Who knew? (Score:5, Insightful)
Re:Who knew? (Score:4, Interesting)
Re: (Score:2)
I have found this to be the root cause of so many problems .. and many disturbances.
It's amazing what people do when they reach that point in their job where it takes a significant level of knowledge to understand ... that they are not doing their job well .. and sometimes not at all.
I tend to equal the $$$ in my bank account with the "effort" I put in at work.
And, in relation to the article, I am looking forward to using this functionality from work
Re: (Score:2)
Since you don't understand the point here's another example..
Developers with an S! MORON!!!! You must be terrible at your job! See the point now?
Re: (Score:1)
Re: (Score:2)
Re:Who knew? (Score:5, Interesting)
The short book, JavaScript: The Good Parts, by Douglas Crockford ....
Re:Who knew? (Score:5, Funny)
The short book, JavaScript: The Good Parts, by Douglas Crockford ....
A book on JavaScipt's good parts is short?! I am shocked, sir!
Re: (Score:2)
I see where you're coming from, but the book *does* list the bad parts that it suggests you don't use, and they're not *that* numerous.
The nutty parts are horrible (equality and null and so forth), but he provides rules-of-thumb which, if followed, mean you won't get bitten.
The book is mostly short because Javascript is a small language.
The huge JS books are big because they go into great detail about the DOM, which is out of scope for Crockford.
Re:Who knew? (Score:4, Insightful)
Douglas Crockford has some weird recommendations that seem to come from him being bitten by evil hacks by a real nutjob once upon a time (maybe himself?). I don't think he represents the majority of Javascript programmers.
It's a bit like if you were in a C++ team and someone thought it would be fun to overload the + operator to do weird things on ints. Afterwards you're so scared that you go around advocating people use c_mathlibrary_plus(a, b) instead of using + since someone might have hacked the +. IMHO that's not relevant advice for most people.
Of course, some people think that languages where you can mess with things are evil. But it's not that easy. To take the operator overloading example: If you've ever tried expressing an algorithm involving lots of vector and matrix math in a language that doesn't allow overloading of operators, you'll see what I mean. It's true, of course, that most of the time you should stay far away from that sort of magic, and it's just plain stupid that C++ hints that frivolous operator overloading is okay by doing it in the standard I/O library.
Same thing with Javascript. The basic stuff will get you through 99.9% of the cases.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
JavaScript is a fad that's on its way out.
Which is why node.js is constantly losing popularity and dynamic web pages are being replaced by static ones, right?
(For the record, this dipship knows more than JS, but thinks that JS, with all its flaws, is mainly misunderstood and especially taught wrong. But many of the flaws could be rectified with the adoption of Harmony - but, while other browsers are quite quick in adapting new technologies, IE will probably prevent the change for many years to come)
Re:Who knew? (Score:5, Interesting)
It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.
I used to think this, but I don't any more. The aforementioned Crockford book is the bible on this.
There is a "pleasant" Javascript community, and what they have done is to separate Javascript into three parts:
- the good parts -- use them
- the bad parts -- avoid using them altogether
- the missing parts -- build acceptable workarounds to these using what's available
For example, Javascript has a horrible tendency for scripts to pollute the global variable namespace. The community came up with the CommonJS module convention, which solves the problem rather neatly.
Re:Who knew? (Score:5, Insightful)
JavaScript is a fad that's on its way out. The same thing happened to Ruby due to Ruby on Rails. The Ruby hype really started taking off around 2006, but by 2010 people realized how shitty Ruby and RoR actually are. That's why we hear almost nothing about either of them these days. The same thing is happening to JavaScript, although it's delayed slightly. It really started taking off around 2008, so it's a couple of years behind Ruby. By 2013, it's likely that JavaScript and its advocates will be widely shunned, too.
2008? JavaScript gained widespread popularity around mid-1996, so by your reckoning it should have faded away sometime in 2001. Like all languages, JavaScript has its warts and WTF moments, but it is the poor craftsman who blames his tools, especially if those tools are being used by millions of other craftsman around the world to create all manner of novel and useful applications (to admittedly varying levels of quality, but again that's more about the developer's skill level than the language itself). Solving the JavaScript problem is a simple five-step process, though: create the One Perfect Language, convince the major browser manufacturers to include a flawless implementation, get all of the current JS developers to learn to code in it correctly, rewrite all existing codebases in it, and make the entire world upgrade their browsers. Done! Now, what's for lunch...?
Re: (Score:2)
What are you using for confirmation? NetCraft?
Re: (Score:2)
I think the implication is that if it's amenable to copy/paste, it ought to be in a library.
Not just webmail (Score:2)
Could be used for web forums too.
Re: (Score:3)
Could be used for web forums too.
Only to sign the message (Or you must encrypt the post for everyone authorized to see it )
Or on slashdot: -----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)
hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
IgDEb1NeXZ499qnSY1ZvCy/VCF1O7H71y77VQTckpfyHgWvzkaaaheMC0r+JGLZO
0w3NCTERFJ8XaXKz/+qw4gA7xxbpT9nXVXMwEwYgiAviJBJhdYw63oTlRYGgGzPh
H2YVNv2TWnpWp816xi+sbM1ZsJJERnAZSADKFYZzYw4E73VhUlrX5YBY4WN7UmQw
yg73zfJYBuJ8+HymPhUUNH7KFqT5T2Cv4TRJgeWvxAgA3/bSCxncZ640z7KlMCMk
IskJkKRau6jeLJZKheZnyBoYiJLuJw+4FeOIkpk3ZKbW
Re: (Score:3)
Gives me an idea for a forum which is just a constant stream of encrypted content. Clients decrypt any content they can.
Re: (Score:2)
Interesting idea. Problem is, who gets keys to actually see the messages and what is the method for acquiring them?
Re: (Score:2)
I think it might be useful for messaging in environments where authorities try to monitor communication. Without the decryption key you just see a stream of encrypted data. Keys would be distributed off-line.
Re: (Score:2)
| gpg
gpg: encrypted with 2048-bit ELG-E key, ID AA53B491, created 2001-11-13
"Eric L. Howes "
gpg: decryption failed: secret key not available
Well, I guess this one isn't for me.
Isn't encryption in JavaScript considered harmful? (Score:3, Interesting)
http://www.matasano.com/articles/javascript-cryptography/
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Isn't encryption in JavaScript considered harmf (Score:5, Informative)
http://www.matasano.com/articles/javascript-cryptography/
The above was written by someone without an understanding of public key cryptography. All you need to do is ensure that the crypto JavaScript is delivered through a secure channel. Once you have done that you can publish a public key on an insecure site and allow people to send data to you which cannot be intercepted. You can also let them generate a key pair and send you the public key, after which you can send them a response.
Re: (Score:3)
Re:Isn't encryption in JavaScript considered harmf (Score:4, Informative)
Hushmail lost a lot of credibility a few years ago when it turned out that its most commonly-used encryption method that ran server-side was delivered in a modified state at the request of government agencies. Yes, there are issues with trusting anything server-side, but its promises started sounding hollow when the CTO openly admitted it.
If you built your own applet from the public source code, the interception was not an issue, but if you used the easier mechanism hosted by Hushmail, you were at risk of your mail being decrypted and turned over.
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ [wired.com]
Re: (Score:2)
A secure channel: like a for example a browser extension loaded from your local HDD/SDD ? Which this is.
Re: (Score:2)
Don't forget XSS attacks. XHTML can help here by its strict error handing, and I have suggested logging XML errors to a server before.
out-of-band not optional (Score:2)
A secure out-of-band channel is essential to secure communication.
One channel is never enough.
Re: (Score:2)
Whats this obsession for everything in Javascript? (Score:5, Insightful)
In the last year or so suddenly everyone seems to write everything in javascript whether appropriate or not. So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate browsers with their own quirks and bugs, poor performance and ultimately limited functionality.
So other than "to see if it can be done" what exactly is the point of these projects? However much webdevs might like it to happen, javascript won't be replacing Java, C++ or C# anytime soon for serious development.
Re: (Score:1)
I'm pretty sure it's appropriate to write a browser extension in javascript, given that its the only language Chrome allows.
Re: (Score:3, Informative)
Email encryption (OpenPGP and SMIME ) is done on the client side. People have to use to email client softwares ( outlook, thunderbird ..etc) to encrypt/sign their messages.
The problem, what if you dont wanna use an email client ?
The solution
1 - Do it manually ( copy, encrypt/sign , past)
OR - Implement it on the "new" client software (ie: the browser )
The reason of javascript is th
Re: (Score:1)
Did you even read TFS?
Re: (Score:2)
You can already get encryption of your link between google and yourself - just use https, or imap with ssl. In fact, I'm pretty sure that https is the default for the web viewer now.
The article is talking about something different.
Re: (Score:3)
Link-level, yes. However, what if google's certificate got hacked? With your emails signed and encrypted (especially on the client side) it would add en extra layer of security.
Re: (Score:2)
Plagiarist! Almost this exact comment was made 20 years ago:
In the last year or so suddenly everyone seems to write everything in C whether appropriate or not. So these guys really think the future of development lies in the windows interface which will what, replace the command-line as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate GUIs with their own quirks and bugs, poor performance and ultimately limited functionality.
So other than "to see if it
20 years ago? (Score:2)
I think you mean thirty?
Twenty years ago is so, '90s.
Re: (Score:2)
Lets play the fill in the blank game!
COBOL compiles to _________.
FORTRAN compiles to _________.
C compiles to ___________.
Javascript compiles to ___________.
There really isn't a good way to compile to Javascript because of the amount the backend work that is needed for it to run (garbage collection anyone). They could try to do what "Go" does and include the garbage collection functionality in the system libraries or in the executable.
Also, no sane OS dev would ever use Javascript for their language of choi
Re: (Score:2)
Re: (Score:2)
Indeed. What we need is a low-level language without garbage collection.
Difficult to program by humans.
Easy to target by a compiler back-end.
Give us that, and open-source will give us all the tools and libraries to bring webdevelopment to the next level.
Re: (Score:2)
So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen.
Altogether replace? For everyone? Maybe not.
But while I use MS Office for my job, *all* my personal word-processing and spreadsheeting is done in Google Docs, and *all* my personal email has been in GMail ever since I got my beta invite -- and I'm not alone. There are flaws in these applications, but they're all outweighed by the ease of moving between computers, and sharing documents with other people.
You don't have to kill your competition in order to be worth doing.
Re: (Score:2)
"ease of moving between computers,"
Who moves between computers to do documentation? I mean really, is your company so skint it can't afford laptops and you have to work in netcafes?
Re: (Score:2)
I said it was for personal stuff. I can get at my Google Docs on my laptop, on my home desktop, on my partner's PC, on my parents' PC... anywhere.
That said, if I ran my own company, I'd use Google Docs too.
Re: (Score:2)
It's more portable than anything else, and it's capable of more than popups. I can only see this trend utilizing processing power better than the (now fading) model of "do it all on the server". How many more people will use PGP if it's built into their webmail client? They won't need to install anything, configure anything - just use.
There are a number of things I'd like to push to the browser. With accompanying server fallbacks, browser processing could greatly reduce my server load which would increa
Re: (Score:2)
Re: (Score:2)
"such-and-such a browser will be sending such-and-such a request to you."
In which case they'll be doing server side development so why exactly would any sane person be using javascript for this? In the "real world" I live in javascript stays in the browser. End of.
You might want to think through your replies before you start typing.
Re: (Score:2)
Except a buggy browser needs to store your private key. That doesn't sound so reasonable to me.
Re: (Score:2)
The traditional operating system controls access to hardware, virtual memory, provides an API and schedules processes. Something will still have to do that so the "traditional" OS isn't going anywhere. It'll probably just be less obvious.
Strange. Is this news ? (Score:1)
Re: (Score:2)
Wait, you mailed encrypted evidence to the clients and would have given them the key in case stuff turned bad?
Interesting idea, I think it would have been better to mail that to newspapers and maybe directly file a complaint. Though, your business. ... Well, on second thought "get a new job" would have been an appropriate solution, too.
Re: (Score:2)
Key management (Score:4, Interesting)
I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.
Re:Key management (Score:5, Funny)
So where do the keys get stored?
They get stored in the Article.
does that mean that you can only store keys per domain?
That is also in the Article.
And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?
Try reading the Article.
I think for reasons of trust that if you were to use js PGP
And I think that before you start spouting off with an opinion, maybe you should, you know, read the article so you have a clue what the fuck you're talking about.
Re: (Score:2)
>And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?
A remote site wouldn't be signing something for you given appropriate design. A remote site encrypting something for you would use your public key, which is not a secret.
Re: (Score:2)
"I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity."
I give you Convergence: http://convergence.io/ [convergence.io]
And the OWASP Keynote where it was presented: http://www.ustream.tv/recorded/17457016/ [ustream.tv]
Re: (Score:2)
Beat me to it (Score:2)
Have been working on something similar very very slowly: a single ASP.Net web page (which could easily be ported to PHP no doubt) that acted as a proxy web browser that encrypted its traffic using a GPG key randomly generated (or provided by the user). It'd be text only ( = no accusations of being used for child pr0n or for teh pirates) but the idea would be that anyone could drop it into their own website without having to configure it and instantly people living under opressive censoring regimes (China,Ir
"Wow, there's really no limit to what JS can do!" (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Your user id isn't what I call low at all.
Sigh
Kids
Re: (Score:2)
:-)
Re: (Score:1)
News flash: turing-complete programming languages can be used to created anything.
That really would be a newsflash. WHat about the halting problem? [wikipedia.org] Or the P=NP problem? [wikipedia.org]
Re: (Score:2)
What about them?
Re: (Score:2)
What about them?
It really would be a newsflash if they could be solved in a Turing-complete language.
Re: (Score:2)
Re: (Score:2)
What does that have to do with the fact you can create any program with a Turing-complete programming language?
Nothing, but was responding to GGP post saying that they could do anything.
Re: (Score:2)
Indeed, it would be way more cool if we would have a compiler back-end that targets javascript.
The real point is... (Score:3)
News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?
Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy. It's probably possible to code it in brainfuck [muppetlabs.com], chef [dangermouse.net], lolcode [lolcode.com] or a bunch of rocks [xkcd.com] but no-one in their right mind would want to.
What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to h
Re: (Score:2)
Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy.
Doing PGP in Javascript isn't all that different from doing it in any other programming language. The only single difference between doing a random project in Javascript versus Perl, Ruby, Python or whatever is that since all the browsers run JS, the project is accessible to probably the largest possible user base. That makes JS cool to do a project in. But since this is true for everything done in JS, I really don't think it needs to be promoted on the front page every single time someone decides to develo
Re: (Score:2)
What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to have.
Apple doesn't give a shit if you have PGP on your iPhone or not. There are some decent PGP apps available for a fair price. http://ipgmail.com/ [ipgmail.com] for example.
Jolly Good Idea (Score:2)
FireGPG (Score:3)
How is this different from FireGPG? With the exception that this is still in development versus the stall in FireGPG?
Re: (Score:2)
FireGPG has to call a local copy of GPG outside of the browser. This GPG4Browsers all happens within the browser. The eventual goal seems to be to be able to provide OpenPGP even in environments where GPG is not installed on the OS and the user only has rights to run a web-browser.
The authors are aware of the following problems in the _prototype_:
- this uses HTML5 local store which can't be cleared securely
- it lacks validation of certificates
Re: (Score:2)
thanks!
It's not that easy: side channel attacks (Score:2, Interesting)
Generally speaking, porting cryptographic implementations between systems is not as easy as "do both implementations produce the same output for the many test inputs tried?".
Proper implementations will mitigate against side channel attacks by:
OpenPBP? (Score:2)
If it's using JavaScript, they should call this version OpenPBP.
Not a complete fan of JS (Score:2)
I grew up being generally interested in CS and specifically in programming. Most programmers I meet hardly ever cease to amaze me at the nonchalance which they adopt when writing code. You (dis-) qualify yourself with me as soon as the argument of "well it works" pops up. Program
Re: (Score:2)
the fuzz is that it can run in the browser sandbox, a requirement for chrome extensions, and for firefox's "restartless" extensions/jetpack (not for the good old ones)
Re: (Score:2)
Why use a scripting language to program complex software when other better maintainable technologies are around?
Because of all the devices running a JS-capable browser these days, meaning that your JS-powered application is accessible to virtually every citizen of this planet.
Re: (Score:2)
The appeal of scripting languages in business apps, to me, is embedding. I don't really care whether it's Javascript, Python, Lua, Groovy or whatever else. Write the core of your application in Java or C, embed a script interpreter, bind some classes/functions and program the high level logic in the more readable, malleable scripting language.
This doesn't mean that non-programmers can be trusted to write those parts. But it means you can free up cognitive load when writing the business logic; the scripting
Good for freedom (Score:2)
Re: (Score:3, Funny)
I want to know who at Teh Google screwed that one up !!
Some group of bears maybe?
Re: (Score:2)
It's a "Haute Cuisine" dessert, I think. They sell it at the local boutique over-priced (e.g. organic, etc) food store by me. It doesn't look very appetizing.. do you spit out the wax, or try to eat around it?
Re: (Score:2)
You pretty much just chew on it until you've managed to get all the honey out then spit out the blob of wax.
Re: (Score:1)
I've been to the hideout. It ain't pretty, let me tell you.
Re:Yeah right (Score:5, Informative)
Re: (Score:2)
...import his private and public keys into the local database...
That's what they want you to think....
Re: (Score:2)
Because of the security issues raised by any javascript code:
- transmitted from a potentially rooted server, or
- intercepted by a MITM attack, or
- received by a rooted client
this implementation is not secured as specified in the techworld article
Out of your three objections the second one is the only real concern that does not also apply to SSL. Transmission of the JavaScript does not have to come from the same machine as the one using it. If this catches on I would expect most people would download it from an SSL-secured plugin site. If the client is rooted, then absolutely nothing can protect you, including SSL.
The only real weakness is the man in the middle attack. Unless you can guarantee that the public certificate is from the source you have
Re: (Score:1)
I'll entrust my keys to code coming from a remote server that now has the ability to send mails as me with non-repudiation and read anything sent to me in ciphertext.
Huh. You probably shouldn't do that. Maybe consider a solution like the one mentioned in the article instead.