Encrypted Web Pages?

Martin Fick mogulguy at yahoo.com
Mon Dec 17 17:25:13 UTC 2007


--- Michael Holstein <michael.holstein at csuohio.edu>
wrote:
> 
> > Despite my bias, an embedded java app 
> > would not work since it would be 
> > controlled (provided) by the hostile 
> > server right?
> 
> You could sign the applet with a key 
> provided to your clients, since you're 
> using a distribution model where you 
> have known end-users (as you need their 
> keys to encrypt the data).

But I have untrusted senders who should
never be able to get access to my private
keys (public keys, sure), so how does the 
signing help?  If the java app is created 
by anyone but the recipient it cannot be 
trusted.

> My thought on Java was to be able to 
> automate the key scheme within the 
> browser, versus requiring them download 
> a .gz.gpg file and decrypt it on their 
> own. A (sort-of) working example of 
> this is how HushMail does it (using 
> Java to code the PGP stuff).

Forgive me for not understanding, but 
what prevents HushMail from decoding
the messages?


> It's an interesting threat model though :)

Yes, but it really is a fairly simple one.
I am surprised that HTML does not seem
to have some extension to deal with this
already.  It is not much different from 
encrypted email concepts, just that the 
browser needs the ability to do the
decrypting instead of your mail program.  
The simplest fallback may be to simply 
open the web page with the user's mailer 
(if their mailer supports that,)

-Martin



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 



More information about the tor-talk mailing list