[tor-talk] Ideas to securely implement PGP encryption/decryption

tor at lists.grepular.com tor at lists.grepular.com
Fri Oct 14 09:28:11 UTC 2011 

I'm jumping into this thread late, and am not replying to a specific
email, I just wanted to add an idea I had a while ago.

1.) First of all, add some basic functions:

Select some encrypted/signed text, right click, select decrypt/verify.
See the results in a XUL window.

Right click a textarea, select "Enter encrypted text", a XUL window pops
up asking for the plain text. You enter that, and the encrypted text is
inserted into the textarea.

Select some text in a textarea, click sign, and see the text replaced by
the signed version.

2.) Make the following functions available to javascript:

window.gnupg.encrypt( callback )
window.gnupg.decrypt( data, callback )
window.gnupg.sign( data, callback )
window.gnupg.verify( data, callback )
window.gnupg.add_public_key( key, callback )

Others?

Whenever one of those operations could cause a privacy leak, such as the
site being able to automatically determine your key id, or determine
whether or not you have a particular public key in your ring, use a XUL
window to ask the user to authorise the request. Any decrypted data
should go into a separate XUL window.

Then, people who write applications like webmail clients can do stuff
like this:

if( "gnupg" in window ){
	thetextarea.onfocus = function(){
		window.gnupg.encrypt( function( ciphertext ){
			thetextarea.value = ciphertext;
		} );
	};
}

Which would mean that if somebody has the addon installed, and clicks
the textarea, window.gnupg.encrypt() would be called, which would spawn
the XUL window where they enter the plain text. Once the user has
entered the plain text, and hit "Save" or whatever, the callback
function would be called with the ciphertext as an argument.

The vast majority of sites, eg GMail wont implement something like this
(at least not at first), but we can do it ourselves by writing
greasemonkey (or similar) plugins.

If it is designed well enough, it could even become a standard one day
and be built directly into browsers.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111014/507db2bb/attachment.pgp>

More information about the tor-talk mailing list