22 comments

[ 2.9 ms ] story [ 73.7 ms ] thread
(comment deleted)
Looks like it doesn't respect additional UIDs. I have one uid for my @googlemail address and one for my @gmail address. I can't send to @googlemail using your tool.
Ah thanks for that, I'm working on a patch now! :)
| What about SSL?

| SSL will not be helpful here, since no sensitive information is ever sent to this server. All encryption is done BEFORE it leaves your computer!

This made me cry.

And that's not even mentioning that I'm typing a possibly sensitive message into your app and just hoping that you're going to encrypt it with the right key and not read it yourself.

Heh, yeah I guess you are right. Getting an SSL certificate now. Not sure what to do about "proving" I'm not doing anything untoward with the message?
You really can't, but that unfortunately doesn't make it not an issue.
I am going to put the source code up on GitHub, so if people really don't trust me that can run their own! :)
Nobody is suggesting that they don't trust you, are they? I'm just observing how bad web browsers are for the kind of UX you hope to have.
The title should link back to the home page. Other than that, great job!
Updated. Thanks for the feedback, greatly appreciated. Cheers!
This should really be ssl enabled.

Not only because of the risk of data being intercepted when sent to the server, but also to mitigate the risk of a MITM attack.

Applying for an SSL certificate now. Thanks for your feedback! :)
did you do the JS implementation of PGP yourself? Really cool service btw. Maybe you could write up a nopaste-tool which encrypts the stored contents before they get posted to your server.
I actually use the Javascript PGP implementation found here: http://www.hanewin.net/encrypt/ but I do plan to implement my own soon. I'm hoping to add a file encryption utility too, but I don't think the current PGP implementation will allow that so easily.

I'm not quite sure I understand what you mean by a nopaste-tool?

Thanks for your feedback! :)

I don't know what the term for those sites is. Something like http://nopaste.info/. How do you plan to implement file encryption in JS?
I was hoping to use Javascript to encrypt the file locally and then upload the encrypted file to my servers for email or downloading. I'm not really sure on exactly how I would do it yet. :) Maybe with some HTML5 local storage?
The first, second, and really all the rules of encryption are that you should not write your own encryption code. And as others have noted, there are fundamental issues with doing such an implementation in Javascript at all.

Please consider the social consequences of pushing encryption which is very likely to be flawed to those who may not know better. If you wish to play (and who doesn't?), then it should be done among people who study cryptography and its implementation for a living.

(comment deleted)
Thanks for the link, a very interesting read. I've been brainstorming some solutions with a friend and we think that perhaps the problem could present an interesting research project. The idea of digitally signed and verified Javascript, maybe a browser plugin to check these signatures, etc.
That's an interesting idea, but you still have the problem that essentially everything in the browser can be MITMed. Even SSL isn't really secure. Just look at the recent CA incidents or the BEAST exploit.
(comment deleted)