Encrypted Web Pages?
Michael Holstein
michael.holstein at csuohio.edu
Mon Dec 17 15:26:22 UTC 2007
> I have what may perhaps seem like a strange question.
> Is there any commonly used software for encrypting and
> decrypting web pages?
>
Yes, SSL .. and it's been around for quite a while.
> Let me explain that a little better: imagine a web
> site which has content destined for specific
> individuals. For each individual there is separate
> content on separate pages, and no one but the
> individual for whom the content is destined should be
> able to read the content, not even the creator of the
> content!
>
Why not just SSL the site, and then restrict access to it using
certificates (still X.509, but separate from the one used for transport
security)
> In other words, is there a private/public key
> mechanism similar to PGP (or even a PGP web page
> plugin) that will work transparently while browsing
> the web? The transparently part would mean that a
> user can provide a private key to a browser and any
> pages encrypted with the user's public key would
> automatically be decrypted for him when he views them.
>
>
Again, this can be easily provided by issuing X.509 certificates to the
end-users and then requiring those certificates to authenticate to the
webserver. Transport security (as it pertains to TOR, etc.) is provided
by a separate X.509 certificate who's purpose is to sign the encrypted
channel over which the data is transfered. You would manage the X.509
certificates assigned to your users by yourself, so you could handle
revolkations (although Verisign, et.al. will happily sell you a
commercial X.509 solution for client auth).
If you had a scenario where you needed to deploy a webserver in "hostile
territory" and needed to ensure the security of the data thereon, you
could conceivably gzip and GPG each .html page and associated items with
multiple public keys based on some other criteria (like what cert the
browser provided) and then let the end-user decrypt it with their
private .. but this definitely won't be "automatic" .. but you could
wrap it in Java to make it somewhat portable if you wanted. You could
also write an ActiveX or XPI plug-in to incorporate it into the browser
.. but then you're putting a lot of "trust" in a 3rd party with your GPG
keys.
~Mike.
More information about the tor-talk
mailing list