Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenPGP Implemented In JavaScript

Unknown Lamer posted more than 2 years ago | from the what-won't-someone-do-next dept.

Encryption 167

angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail." A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)

cancel ×

167 comments

Sorry! There are no comments related to the filter you selected.

SINCE WHEN IS HONEYCOMB A DESSERT ?? (-1)

Anonymous Coward | more than 2 years ago | (#38133796)

I want to know who at Teh Google screwed that one up !!

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (2, Funny)

Pieroxy (222434) | more than 2 years ago | (#38133806)

I want to know who at Teh Google screwed that one up !!

Some group of bears maybe?

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (0)

Anonymous Coward | more than 2 years ago | (#38133828)

You've obviously never eaten honeycomb, then.

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (1)

Anonymous Coward | more than 2 years ago | (#38133900)

I've been to the hideout. It ain't pretty, let me tell you.

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (1)

zippthorne (748122) | more than 2 years ago | (#38134412)

It's a "Haute Cuisine" dessert, I think. They sell it at the local boutique over-priced (e.g. organic, etc) food store by me. It doesn't look very appetizing.. do you spit out the wax, or try to eat around it?

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (1)

Abstrackt (609015) | more than 2 years ago | (#38134548)

You pretty much just chew on it until you've managed to get all the honey out then spit out the blob of wax.

Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? (1)

schroedingers_hat (2449186) | more than 2 years ago | (#38134552)

I've had it before. I don't know if it's treated somehow, but you can just eat the whole lot. It's quite tasty, primarily because of the honey.

Who knew? (4, Insightful)

Pieroxy (222434) | more than 2 years ago | (#38133800)

who knew Javascript had a bignum library and a number of cipher implementations

Those that know JavaScript?

And I don't mean the kids copy/pasting stuff found on the web, but real people working with JavaScript and having knowledge of the language, libraries, etc.

The biggest problem with JavaScript is that the world is plagued with kiddos that think they know JavaScript when all they know is how to search their needs on Google and copy/paste from there.

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38133816)

The worst part is a lot of the so-called Help out there is also done this way.
So you have about 1500 websites with all the same damn information and not the stuff that anybody is actually looking for, or needs, because they all seem to have ripped off the same source.

Re:Who knew? (4, Insightful)

LingNoi (1066278) | more than 2 years ago | (#38133818)

Ah yes, the stereotypical programmer.. You're either a genius or an idiot. You must be real fun to work with.

Re:Who knew? (-1)

Anonymous Coward | more than 2 years ago | (#38133996)

You idiot! I am a programmeur - all else are beneath me!

Re:Who knew? (4, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#38134476)

The fact remains that a large majority of programmers today would do the world a service by changing careers. The industry is flooded with programmers who cannot program [codinghorror.com] .

Re:Who knew? (0)

Oligonicella (659917) | more than 2 years ago | (#38133822)

Seconded. More inane language bias on display.

Re:Who knew? (1)

Xner (96363) | more than 2 years ago | (#38134004)

Actually, since we're on topic now, I have been looking for a good way to get into JavaScript that steers clear of the cargo cult mentality. Do you have any pointers for books, tutorials etc?

Re:Who knew? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38134030)

The short book, JavaScript: The Good Parts, by Douglas Crockford ....

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38134188)

It's quite telling when the most popular and useful book about a given programming language goes out of its way to tell you to only use a small subset of the language's functionality. It just goes to show how backward JavaScript is. The less of it you use, the better off you are!

Re:Who knew? (1)

slim (1652) | more than 2 years ago | (#38134366)

I see where you're coming from, but the book *does* list the bad parts that it suggests you don't use, and they're not *that* numerous.

The nutty parts are horrible (equality and null and so forth), but he provides rules-of-thumb which, if followed, mean you won't get bitten.

The book is mostly short because Javascript is a small language.

The huge JS books are big because they go into great detail about the DOM, which is out of scope for Crockford.

Re:Who knew? (5, Funny)

Anonymous Coward | more than 2 years ago | (#38134326)

The short book, JavaScript: The Good Parts, by Douglas Crockford ....

A book on JavaScipt's good parts is short?! I am shocked, sir!

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38134084)

It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.

This is usually the point where some dipshit who only knows JavaScript will start mistakenly claiming that JavaScript is "similar to Scheme". Don't buy into that bullshit. Anyone who knows Scheme knows that JavaScript is far inferior and they are no way alike.

JavaScript is a fad that's on its way out. The same thing happened to Ruby due to Ruby on Rails. The Ruby hype really started taking off around 2006, but by 2010 people realized how shitty Ruby and RoR actually are. That's why we hear almost nothing about either of them these days. The same thing is happening to JavaScript, although it's delayed slightly. It really started taking off around 2008, so it's a couple of years behind Ruby. By 2013, it's likely that JavaScript and its advocates will be widely shunned, too.

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38134204)

Fine... and you would replace it with??????

Re:Who knew? (2)

marsu_k (701360) | more than 2 years ago | (#38134208)

JavaScript is a fad that's on its way out.

Which is why node.js is constantly losing popularity and dynamic web pages are being replaced by static ones, right?

(For the record, this dipship knows more than JS, but thinks that JS, with all its flaws, is mainly misunderstood and especially taught wrong. But many of the flaws could be rectified with the adoption of Harmony - but, while other browsers are quite quick in adapting new technologies, IE will probably prevent the change for many years to come)

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38134328)

Uhh, nobody actually uses Node.js seriously. It can't exactly "lose popularity" when it's not popular, or even frequently used, in the first place!

Re:Who knew? (5, Interesting)

slim (1652) | more than 2 years ago | (#38134214)

It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.

I used to think this, but I don't any more. The aforementioned Crockford book is the bible on this.

There is a "pleasant" Javascript community, and what they have done is to separate Javascript into three parts:
  - the good parts -- use them
  - the bad parts -- avoid using them altogether
  - the missing parts -- build acceptable workarounds to these using what's available

For example, Javascript has a horrible tendency for scripts to pollute the global variable namespace. The community came up with the CommonJS module convention, which solves the problem rather neatly.

Re:Who knew? (0)

Anonymous Coward | more than 2 years ago | (#38134352)

The same thing is happening to JavaScript, although it's delayed slightly. It really started taking off around 2008, so it's a couple of years behind Ruby. By 2013, it's likely that JavaScript and its advocates will be widely shunned, too

I remember using JavaScript back in 99 that's one long ass fad

Re:Who knew? (1)

marsu_k (701360) | more than 2 years ago | (#38134228)

This book [amazon.com] contains what it says on the tin.

Re:Who knew? (1)

Zamphatta (1760346) | more than 2 years ago | (#38134774)

Isn't that part of the beauty of Open Source though? I love being able to copy-n-paste, to avoid reinventing to wheel or avoid typing all afternoon for something you can do in 20 minutes or less. The problem is "programmers" who don't understand what they just copy-n-pasted, can't tweak it to fit their needs, and don't care to figure out (or learn) what the code is doing.

Re:Who knew? (1)

slim (1652) | more than 2 years ago | (#38134794)

I think the implication is that if it's amenable to copy/paste, it ought to be in a library.

Javascript bignum (0)

Anonymous Coward | more than 2 years ago | (#38133814)

Keygen illustrating the use of a Javascript bignum library
http://pastehtml.com/view/5ucd3ts.html

Not just webmail (1)

MichaelSmith (789609) | more than 2 years ago | (#38133824)

Could be used for web forums too.

Re:Not just webmail (0)

Anonymous Coward | more than 2 years ago | (#38133866)

Only to sign the message (Or you must encrypt the post for everyone authorized to see it )

Re:Not just webmail (2)

Chrisq (894406) | more than 2 years ago | (#38133902)

Could be used for web forums too.

Only to sign the message (Or you must encrypt the post for everyone authorized to see it )

Or on slashdot: -----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
IgDEb1NeXZ499qnSY1ZvCy/VCF1O7H71y77VQTckpfyHgWvzkaaaheMC0r+JGLZO
0w3NCTERFJ8XaXKz/+qw4gA7xxbpT9nXVXMwEwYgiAviJBJhdYw63oTlRYGgGzPh
H2YVNv2TWnpWp816xi+sbM1ZsJJERnAZSADKFYZzYw4E73VhUlrX5YBY4WN7UmQw
yg73zfJYBuJ8+HymPhUUNH7KFqT5T2Cv4TRJgeWvxAgA3/bSCxncZ640z7KlMCMk
IskJkKRau6jeLJZKheZnyBoYiJLuJw+4FeOIkpk3ZKbWzk18kFT47x5kZA051g/p
A300n5ivHauHQz8jVTXBNF800YtkknB4+H9q5lnVYik0JsPLKGX+/sjEJ01iWaWl
wBC3poSYT+l63wNO73CDhx4VbpOzLgzbyNB6O67iuiQm2D9hLwk8L4YPOoMlfwyM
kUmsZUX709sMBHZN/9aniaVBsLxszHw9xu5OuSz/lHkckplcwb94XDLh1KGGO+1Q
LzbpFYPqe3BANLK5xxlQAAti/uk0XYltVJfUOCzyxl282X3Tp/77FtiGGb8RI1HY
hslojkAQa9gK1+f44Y8LwHH5k7fQr+Q+luqP7inoEQWbpWW4hu80Wkafv/bzI/xu
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz+q
M8RkPBZIBge0SVY=
=WznL
-----END PGP MESSAGE-----

Re:Not just webmail (2)

MichaelSmith (789609) | more than 2 years ago | (#38133932)

Gives me an idea for a forum which is just a constant stream of encrypted content. Clients decrypt any content they can.

Yeah right (-1)

Anonymous Coward | more than 2 years ago | (#38133848)

This is great because an American company having my private keys doesn't defeat the purpose of PGP at all.

Re:Yeah right (4, Informative)

Chrisq (894406) | more than 2 years ago | (#38133886)

Where do you get it that anyone but you has your private key? From TFA:

A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

Isn't encryption in JavaScript considered harmful? (3, Interesting)

Anonymous Coward | more than 2 years ago | (#38133860)

http://www.matasano.com/articles/javascript-cryptography/

Re:Isn't encryption in JavaScript considered harmf (2)

sverdlichenko (105710) | more than 2 years ago | (#38133938)

No, it isn't. This article implicitly assumes user trusts server with everything or not at all. Not a case with GMail: in most attack models I can perfectly assume Google will deliver me correct Javascript code over SSL, but never trust it with securing my email content. Account hijacks are quite usual and replacing code on GMail servers is completely another thing.

Re:Isn't encryption in JavaScript considered harmf (0)

Anonymous Coward | more than 2 years ago | (#38134066)

But couldn't JavaScript in the mail intercept JavaScript loaded over SSL? After all, it's both running in the same web page, isn't it?

Re:Isn't encryption in JavaScript considered harmf (1)

sverdlichenko (105710) | more than 2 years ago | (#38134270)

Why would in-mail javascript run at all?

Re:Isn't encryption in JavaScript considered harmf (4, Informative)

Chrisq (894406) | more than 2 years ago | (#38133946)

http://www.matasano.com/articles/javascript-cryptography/

The above was written by someone without an understanding of public key cryptography. All you need to do is ensure that the crypto JavaScript is delivered through a secure channel. Once you have done that you can publish a public key on an insecure site and allow people to send data to you which cannot be intercepted. You can also let them generate a key pair and send you the public key, after which you can send them a response.

Re:Isn't encryption in JavaScript considered harmf (2)

Nerdfest (867930) | more than 2 years ago | (#38134200)

This is something that webmail has need for ages. Encrypted email is relatively easy to implement, and is free, but webmail makes it difficult to do without handing your keys over to a third party (GMail, HotMail, etc). This solves the problem nicely. It would be great to see this, or something similar widely adopted.

Re:Isn't encryption in JavaScript considered harmf (0)

Anonymous Coward | more than 2 years ago | (#38134290)

If you have a secure channel, what do you need JavaScript crypto for?

Just communicate the mails via that channel.

out-of-band not optional (1)

reiisi (1211052) | more than 2 years ago | (#38134482)

A secure out-of-band channel is essential to secure communication.

One channel is never enough.

Re:Isn't encryption in JavaScript considered harmf (1)

Zero__Kelvin (151819) | more than 2 years ago | (#38134502)

Because you just need the secure channel to exchange the keys, and once that is done you can use any other channel even when the secure channel is not available to you. This is, in fact, the entire point of cryptography. If everyone had access to a known secure channel of infinite bandwidth at all times, then there would be no need for it.

Cue Atwood's Law comment (0)

Anonymous Coward | more than 2 years ago | (#38133882)

Cue Atwood's Law comment, as found on every JavaScript post.

Whats this obsession for everything in Javascript? (4, Insightful)

Viol8 (599362) | more than 2 years ago | (#38133888)

In the last year or so suddenly everyone seems to write everything in javascript whether appropriate or not. So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate browsers with their own quirks and bugs, poor performance and ultimately limited functionality.

So other than "to see if it can be done" what exactly is the point of these projects? However much webdevs might like it to happen, javascript won't be replacing Java, C++ or C# anytime soon for serious development.

Re:Whats this obsession for everything in Javascri (1)

Anonymous Coward | more than 2 years ago | (#38133908)

I'm pretty sure it's appropriate to write a browser extension in javascript, given that its the only language Chrome allows.

Re:Whats this obsession for everything in Javascri (1)

Anonymous Coward | more than 2 years ago | (#38134432)

Hi dare you call chrome a browser! It's a desktop environment dammit!

Re:Whats this obsession for everything in Javascri (3, Informative)

Anonymous Coward | more than 2 years ago | (#38133916)

Email encryption (OpenPGP and SMIME ) is done on the client side. People have to use to email client softwares ( outlook, thunderbird ..etc) to encrypt/sign their messages.
The problem, what if you dont wanna use an email client ?
The solution
                    1 - Do it manually ( copy, encrypt/sign , past)
                OR - Implement it on the "new" client software (ie: the browser )
The reason of javascript is that chrome extensions are written in that language ( and every browser support it ). Maybe other releases will be implemented in other languages that integrate to browsers ( Dart ? )

Re:Whats this obsession for everything in Javascri (0)

Anonymous Coward | more than 2 years ago | (#38133928)

Would be really cool to see this ported across to gmail. Google is still going to know the contents of your mail during/from compilation but for delivery/verification on the remote side it would be nice.

Re:Whats this obsession for everything in Javascri (1)

Anonymous Coward | more than 2 years ago | (#38134068)

Did you even read TFS?

Re:Whats this obsession for everything in Javascri (1)

zippthorne (748122) | more than 2 years ago | (#38134430)

You can already get encryption of your link between google and yourself - just use https, or imap with ssl. In fact, I'm pretty sure that https is the default for the web viewer now.

The article is talking about something different.

Re:Whats this obsession for everything in Javascri (2)

Anonymous Coward | more than 2 years ago | (#38133980)

Plagiarist! Almost this exact comment was made 20 years ago:

In the last year or so suddenly everyone seems to write everything in C whether appropriate or not. So these guys really think the future of development lies in the windows interface which will what, replace the command-line as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate GUIs with their own quirks and bugs, poor performance and ultimately limited functionality.

So other than "to see if it can be done" what exactly is the point of these projects? However much appdevs might like it to happen, C won't be replacing assembler, Forth or Fortran anytime soon for serious development.

20 years ago? (1)

reiisi (1211052) | more than 2 years ago | (#38134496)

I think you mean thirty?

Twenty years ago is so, '90s.

Re:Whats this obsession for everything in Javascri (0)

Anonymous Coward | more than 2 years ago | (#38134040)

This epic effort has one reason: ultimate need to get rid of all those machine cycles, which poison our machines. Shame to you, chipmakers!

Re:Whats this obsession for everything in Javascri (0)

Anonymous Coward | more than 2 years ago | (#38134042)

How about, to solve the problem that I have right now, which I have because of requirments that I cannot escape?

Just because you think that it's not a good idea to solve a problem that way in the realm of theoretical computer science where you can dictate the appropriate topographical seperation of network layers and clients and servers, and configure them however you like, some people in the real world are simply told: such-and-such a browser will be sending such-and-such a request to you. I want that request fulfilled in such-and-such a way.

And we have to make it happen.

Re:Whats this obsession for everything in Javascri (1)

Viol8 (599362) | more than 2 years ago | (#38134130)

"such-and-such a browser will be sending such-and-such a request to you."

In which case they'll be doing server side development so why exactly would any sane person be using javascript for this? In the "real world" I live in javascript stays in the browser. End of.

You might want to think through your replies before you start typing.

Re:Whats this obsession for everything in Javascri (0)

Anonymous Coward | more than 2 years ago | (#38134334)

In which case they'll be doing server side development so why exactly would any sane person be using javascript for this? In the "real world" I live in javascript stays in the browser. End of.

Exactly! Why didn't this asshole just hack into GMails servers, and then configure encryption for every end user in such a way that Google, who will still ultimately have control over the servers, can't decrypt it? I mean seriously, in the "real world" we live in where there servers are controlled by corporations that we don't actually trust, server side development is always the answer.

You might want to just stop typing.

Re:Whats this obsession for everything in Javascri (0)

Anonymous Coward | more than 2 years ago | (#38134058)

Isn't it obvious ? You have a functionality, like PGP, and you want to make it more rubbish. The easiest path is to implement it in Javascript. For this particular project the "interesting part" is security of private key if you give it to a Javascript. By interesting I of course mean stupid.

Re:Whats this obsession for everything in Javascri (1)

StripedCow (776465) | more than 2 years ago | (#38134102)

Indeed. What we need is a low-level language without garbage collection.

Difficult to program by humans.
Easy to target by a compiler back-end.

Give us that, and open-source will give us all the tools and libraries to bring webdevelopment to the next level.

Re:Whats this obsession for everything in Javascri (1)

kensan (682362) | more than 2 years ago | (#38134402)

Encrypting mails you send via webmail without having copy your keys on the server sounds like reasonable usecase.

Re:Whats this obsession for everything in Javascri (1)

Viol8 (599362) | more than 2 years ago | (#38134698)

Except a buggy browser needs to store your private key. That doesn't sound so reasonable to me.

Re:Whats this obsession for everything in Javascri (1)

kensan (682362) | more than 2 years ago | (#38134840)

Yes, that also raises the question why you read/answer encryption worthy emails via webmail but I would argue it is still an improvement that your key does not need to leave your machine.

Re:Whats this obsession for everything in Javascri (0)

Hatta (162192) | about 2 years ago | (#38135294)

So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen.

Yes, it is going to happen. It is happening, and there's nothing we can do to stop it. Not only that, but hypervisors are becoming fatter, and the BIOS is giving way to UEFI. At some point, there won't be much of a role for the traditional operating system.

What could possibly go wrong? (0)

Anonymous Coward | more than 2 years ago | (#38133896)

I'll entrust my keys to code coming from a remote server that now has the ability to send mails as me with non-repudiation and read anything sent to me in ciphertext.

Re:What could possibly go wrong? (1)

Anonymous Coward | more than 2 years ago | (#38134108)

I'll entrust my keys to code coming from a remote server that now has the ability to send mails as me with non-repudiation and read anything sent to me in ciphertext.

Huh. You probably shouldn't do that. Maybe consider a solution like the one mentioned in the article instead.

Strange. Is this news ? (1)

vikingpower (768921) | more than 2 years ago | (#38133914)

I encountered what was at least a serious attempt to do exaxtly the same thing in the mid-90s. And I used it, too. Together with a colleague. We both worked in a tiny outfit where the boss was meddling in corruption with local politicians and corporate local heroes. Having such a thing as PGP usable in browsers and email clients truly was PGP to us: pretty good protection ( for the evidence we found against our boss ).

Re:Strange. Is this news ? (1)

Robert Zenz (1680268) | more than 2 years ago | (#38134076)

Wait, you mailed encrypted evidence to the clients and would have given them the key in case stuff turned bad?

Interesting idea, I think it would have been better to mail that to newspapers and maybe directly file a complaint. Though, your business. ... Well, on second thought "get a new job" would have been an appropriate solution, too.

Re:Strange. Is this news ? (1)

vikingpower (768921) | more than 2 years ago | (#38134484)

Well, on second thought "get a new job" would have been an appropriate solution, too.

Which is what I did. And my colleague as well. We kept the evidence for ourselves, though. Once we got news, about a year later, that our boss was under investigation by a judge, we mailed the evidence to his office.

Re:Strange. Is this news ? (1)

Robert Zenz (1680268) | more than 2 years ago | (#38134600)

The office of the judge or the boss? *eg*

Key management (3, Interesting)

DrXym (126579) | more than 2 years ago | (#38133918)

So where do the keys get stored? If it's the HTML web storage, does that mean that you can only store keys per domain? Is that even advisable? And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.

Re:Key management (5, Funny)

Anonymous Coward | more than 2 years ago | (#38134374)

So where do the keys get stored?

They get stored in the Article.

does that mean that you can only store keys per domain?

That is also in the Article.

And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

Try reading the Article.

I think for reasons of trust that if you were to use js PGP

And I think that before you start spouting off with an opinion, maybe you should, you know, read the article so you have a clue what the fuck you're talking about.

Beat me to it (1)

cyclomedia (882859) | more than 2 years ago | (#38133940)

Have been working on something similar very very slowly: a single ASP.Net web page (which could easily be ported to PHP no doubt) that acted as a proxy web browser that encrypted its traffic using a GPG key randomly generated (or provided by the user). It'd be text only ( = no accusations of being used for child pr0n or for teh pirates) but the idea would be that anyone could drop it into their own website without having to configure it and instantly people living under opressive censoring regimes (China,Iran,US,etc.) would be able to open that web page and use it as a web browser to get to news sites and the like.

Re:Beat me to it (0)

Anonymous Coward | more than 2 years ago | (#38134114)

> It'd be text only ( = no accusations of being used for child pr0n or for teh pirates)

They could simply encode with http://en.wikipedia.org/wiki/Base64 [wikipedia.org] . But worry not, people who actually care about cryptography will not use some webpage some guy wrote as a hobby.

not secure (0)

Anonymous Coward | more than 2 years ago | (#38133970)

Because of the security issues raised by any javascript code:
- transmitted from a potentially rooted server, or
- intercepted by a MITM attack, or
- received by a rooted client
this implementation is not secured as specified in the techworld article

Re:not secure (1)

Chrisq (894406) | more than 2 years ago | (#38134070)

Because of the security issues raised by any javascript code:
- transmitted from a potentially rooted server, or
- intercepted by a MITM attack, or
- received by a rooted client
this implementation is not secured as specified in the techworld article

Out of your three objections the second one is the only real concern that does not also apply to SSL. Transmission of the JavaScript does not have to come from the same machine as the one using it. If this catches on I would expect most people would download it from an SSL-secured plugin site. If the client is rooted, then absolutely nothing can protect you, including SSL.

The only real weakness is the man in the middle attack. Unless you can guarantee that the public certificate is from the source you have problems. SSL gets around this with certification authorities. This is not perfect, but generally works.

GPG and PGP generally rely on a web of trust. This can work very well among a small group of people - who al trust eachother only to sign a certificate that they have independently verified. If the group has rules that key signatures have to be verified by a phonecall or snailmail this is probably more secure than SSL. On the other hand if you just download certificates from keyservers without verification it does not give you much protection. I don't believe that the web of trust scales to global networks. You might trust all your friends to verify people, and maybe friends of friends too. You can be pretty sure that your friends will be as careful as you. But extend this to firends of friends of friends out to six degrees of separation and you can be pretty sure that there will be a lot of careless or criminal elements in your web.

"Wow, there's really no limit to what JS can do!" (5, Insightful)

dingen (958134) | more than 2 years ago | (#38133994)

News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?

Re:"Wow, there's really no limit to what JS can do (1)

Robert Zenz (1680268) | more than 2 years ago | (#38134082)

Because most of the internet users still use "IE8" or less and therefor see JavaScript as something which sucks, is slow and can't find it's own tail?

Re:"Wow, there's really no limit to what JS can do (1)

vikingpower (768921) | more than 2 years ago | (#38134090)

Amen. Soon, JS will run the stove in my living room. Version 2.0 will also run my lover, making her sit really elegantly with a book on the couch facing that stove.

Re:"Wow, there's really no limit to what JS can do (1)

Zero__Kelvin (151819) | more than 2 years ago | (#38134528)

Unfortunately it won't be until v3 that it can actually get you to realize that the purpose of a lover is something other than to sit elegantly with a book on the couch facing the stove, and even a massively parallel supercomputer will never get you an actual lover, thereby making the code useless.

Re:"Wow, there's really no limit to what JS can do (1)

vikingpower (768921) | more than 2 years ago | (#38134584)

Good point, although the tonal setting seems to veer somewhat toward the hostile, as in : "You poor nerd / geek / ..., you seem not to be able to get / have / keep hold of a lover". Which is not my case. The post was meant i r o n i c a l l y, for the sake of cryin' out loud ***sigh***

Re:"Wow, there's really no limit to what JS can do (1)

Zero__Kelvin (151819) | more than 2 years ago | (#38134640)

That tone you are hearing is in your head. Here on Slashdot, nobody can ever have a girlfriend, even if they are married ;-)

Re:"Wow, there's really no limit to what JS can do (1)

vikingpower (768921) | more than 2 years ago | (#38134830)

Ah. My user id is pretty low (though not as low as yours); still, I was never informed of that rule. Although, wait. Hm. You can not prove that tone I am hearing is in my head. Neither can I prove that it is not. Oh Bishop Berkeley, where art thou ?

Re:"Wow, there's really no limit to what JS can do (0)

Chrisq (894406) | more than 2 years ago | (#38134100)

News flash: turing-complete programming languages can be used to created anything.

That really would be a newsflash. WHat about the halting problem? [wikipedia.org] Or the P=NP problem? [wikipedia.org]

Re:"Wow, there's really no limit to what JS can do (1)

Splab (574204) | more than 2 years ago | (#38134400)

What about them?

Re:"Wow, there's really no limit to what JS can do (1)

Chrisq (894406) | more than 2 years ago | (#38134522)

What about them?

It really would be a newsflash if they could be solved in a Turing-complete language.

Re:"Wow, there's really no limit to what JS can do (1)

dingen (958134) | more than 2 years ago | (#38134572)

What does that have to do with the fact you can create any program with a Turing-complete programming language?

Re:"Wow, there's really no limit to what JS can do (1)

Chrisq (894406) | about 2 years ago | (#38135130)

What does that have to do with the fact you can create any program with a Turing-complete programming language?

Nothing, but was responding to GGP post saying that they could do anything.

Re:"Wow, there's really no limit to what JS can do (1)

StripedCow (776465) | more than 2 years ago | (#38134118)

Indeed, it would be way more cool if we would have a compiler back-end that targets javascript.

The real point is... (2)

PSVMOrnot (885854) | more than 2 years ago | (#38134128)

News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?

Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy. It's probably possible to code it in brainfuck [muppetlabs.com] , chef [dangermouse.net] , lolcode [lolcode.com] or a bunch of rocks [xkcd.com] but no-one in their right mind would want to.

What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to have.

Re:The real point is... (1)

dingen (958134) | more than 2 years ago | (#38134434)

Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy.

Doing PGP in Javascript isn't all that different from doing it in any other programming language. The only single difference between doing a random project in Javascript versus Perl, Ruby, Python or whatever is that since all the browsers run JS, the project is accessible to probably the largest possible user base. That makes JS cool to do a project in. But since this is true for everything done in JS, I really don't think it needs to be promoted on the front page every single time someone decides to develop something in Javascript.

Next up... (0)

Anonymous Coward | more than 2 years ago | (#38134154)

The human brain and the observable universe, implemented in JavaShit... oops Script.

Jolly Good Idea (1)

jenic (1231704) | more than 2 years ago | (#38134162)

I'm sure cryptologist's agree! What could possibly go wrong?!

FireGPG (2)

fwice (841569) | more than 2 years ago | (#38134166)

How is this different from FireGPG? With the exception that this is still in development versus the stall in FireGPG?

It's not that easy: side channel attacks (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38134256)

Generally speaking, porting cryptographic implementations between systems is not as easy as "do both implementations produce the same output for the many test inputs tried?".

Proper implementations will mitigate against side channel attacks by:

  • Ensuring loops within crypto implementations execute in constant time regardless of the input (both plaintext and key)
  • Ensuring keypresses are obtained on a poll cycle as opposed to being handled on each interrupt (if the key is inputted via keyboard)
  • Ensuring that keypresses are sent securely from the kernel to a lightweight userspace application that performs the encryption/decryption
  • Avoiding the storage of key material or plaintext in memory where upon deallocation (this could occur without the application having a chance to exit gracefully and overwrite the memory), another process can read the now-free memory region to obtain the key or plaintext
  • Ensuring there is no doubt as to the validity and trustworthiness of passphrase prompts

I'm skeptical as to whether a web browser implementation (in JavaScript, not part of the browser itself) can address the issues listed above.

I tried it (0)

Anonymous Coward | more than 2 years ago | (#38134406)

It is hopelessly slow.

OpenPBP? (1)

s_p_oneil (795792) | more than 2 years ago | (#38134614)

If it's using JavaScript, they should call this version OpenPBP.

Not a complete fan of JS (1)

SpaghettiPattern (609814) | more than 2 years ago | (#38134676)

I don't see why all the fuss is made about JS's capabilities. Coming from a very strong Perl/Unix background I see the appealing side of scripting. But if I take into account business programming, JS makes me shiver to the spine.

I grew up being generally interested in CS and specifically in programming. Most programmers I meet hardly ever cease to amaze me at the nonchalance which they adopt when writing code. You (dis-) qualify yourself with me as soon as the argument of "well it works" pops up. Programming the business logic is the easy part. Handling all possible exceptions whilst maintaining integrity is the hard part. Not reaching a conclusion too soon is also "up there."

Most programmers I meet can't be arsed to take exceptions and integrity too seriously. Or to continue pondering over a problem. The natural curiosity of finding out stuff and improving oneself every single day is hardly ever there.

I have adopted the liking of Java for complex solutions. You can only screw up so much in it. And you can program almost anything with it. I like mediocre programmers to write their stuff in Java.
Anything needing complex, low level system interaction I'd program in Perl. I also appreciate other similar languages that do the same. I prefer mediocre programmers around me not to touch Perl.
For setting up running environments for programs to run and to program very simple applications, I advocate Bourne Shell (not bash.) One good thing about Bourne/Unix is that mediocre programmers steer clear from AWK.

Stating that I'm "Not a complete fan of JS" is perhaps an understatement. I find the typing revolting. The means to overload methods. The slightly different method of handling strings compared to Java.

I have had the misfortune of having to know a product using JS and an open runtime implementation. Knowing what other people did is tedious at best and debugging JS there is pure hell. I pity the folks I left behind.

So, from a business point of view I loathe JS. And from a hobby point of view I can't be bothered. Why use a scripting language to program complex software when other better maintainable technologies are around? "Because you frigging can!" is the only answer I can think of.

Re:Not a complete fan of JS (1)

kangsterizer (1698322) | about 2 years ago | (#38135010)

the fuzz is that it can run in the browser sandbox, a requirement for chrome extensions, and for firefox's "restartless" extensions/jetpack (not for the good old ones)

Re:Not a complete fan of JS (1)

dingen (958134) | about 2 years ago | (#38135164)

Why use a scripting language to program complex software when other better maintainable technologies are around?

Because of all the devices running a JS-capable browser these days, meaning that your JS-powered application is accessible to virtually every citizen of this planet.

MARE (-1)

Anonymous Coward | more than 2 years ago | (#38134898)

Poor prio8itiesD, Satan's Dick And
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>