Guido Witmond
2014-12-11 10:54:54 UTC
Hello!
So we need the software to be received from trusted source. Just like we
receive browser from the repositories of our GNU/Linux system, which are
trusted and have some ways to prove the software was not modified.
Indeed.So we need the software to be received from trusted source. Just like we
receive browser from the repositories of our GNU/Linux system, which are
trusted and have some ways to prove the software was not modified.
We could use browser extensions to implement end-to-end encryption, but
they hardly can be convenient, because they will always lack some
important information, for example information on your recipient, that
could be received only with the help of the website. This information is
required to implement such useful things as automatic key selection for
the recipient.
Indeed.they hardly can be convenient, because they will always lack some
important information, for example information on your recipient, that
could be received only with the help of the website. This information is
required to implement such useful things as automatic key selection for
the recipient.
So the problem of end-to-end encryption in web-based software requires
that browser interacts with the website receiving required information,
but all the software that does the encryption loads from the computer of
user, not from the Internet at web site load time.
Indeed.that browser interacts with the website receiving required information,
but all the software that does the encryption loads from the computer of
user, not from the Internet at web site load time.
All that led me to the idea, that implementation of end-to-end
encryption in web technologies should be a part of web standard, so the
rules of interactions between website and browser encryption module is
defined strictly. For example, it could be defined as special kind of
forms, that is filled by user with unencrypted text, but when you submit
the form, browser really sends it PGP encrypted using key, that is
determined by the context (you are in a web chat with certain
recipients). This also can help in providing some extra security for
this text blocks, because browser could isolate unencrypted text from
any javascript, that may want to read it.
That's what I've designed and prototyped, except for PGP and Javascriptencryption in web technologies should be a part of web standard, so the
rules of interactions between website and browser encryption module is
defined strictly. For example, it could be defined as special kind of
forms, that is filled by user with unencrypted text, but when you submit
the form, browser really sends it PGP encrypted using key, that is
determined by the context (you are in a web chat with certain
recipients). This also can help in providing some extra security for
this text blocks, because browser could isolate unencrypted text from
any javascript, that may want to read it.
:-) I avoid all the accumulated cruft of those programs and implement it
on top of TLS and private CAs, one for each website.
So, here is my question to you, as a social networking project members.
Have you ever though of necessity of realizing end-to-end encryption as
part of web standard? Do you think it is possible to push? Maybe it is
nevertheless possible to implement end-to-end encryption with some
javascript using some extra security and isolation measures? Or maybe
you have some other ideas how to implement it, that I didn't think of?
Take a look at Eccentric Authentication.Have you ever though of necessity of realizing end-to-end encryption as
part of web standard? Do you think it is possible to push? Maybe it is
nevertheless possible to implement end-to-end encryption with some
javascript using some extra security and isolation measures? Or maybe
you have some other ideas how to implement it, that I didn't think of?
Please read:
http://eccentric-authentication.org/blog/2012/10/23/a-blog-site.html
http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.html
Or read :
http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
and: http://eccentric-authentication.org/Usable-Security.pdf
With regards, Guido Witmond.
eccentric-authentication.org