Looks like it doesn't respect additional UIDs. I have one uid for my @googlemail address and one for my @gmail address. I can't send to @googlemail using your tool.
| SSL will not be helpful here, since no sensitive information is ever sent to this server. All encryption is done BEFORE it leaves your computer!
This made me cry.
And that's not even mentioning that I'm typing a possibly sensitive message into your app and just hoping that you're going to encrypt it with the right key and not read it yourself.
did you do the JS implementation of PGP yourself? Really cool service btw. Maybe you could write up a nopaste-tool which encrypts the stored contents before they get posted to your server.
I actually use the Javascript PGP implementation found here: http://www.hanewin.net/encrypt/ but I do plan to implement my own soon. I'm hoping to add a file encryption utility too, but I don't think the current PGP implementation will allow that so easily.
I'm not quite sure I understand what you mean by a nopaste-tool?
I was hoping to use Javascript to encrypt the file locally and then upload the encrypted file to my servers for email or downloading. I'm not really sure on exactly how I would do it yet. :) Maybe with some HTML5 local storage?
The first, second, and really all the rules of encryption are that you should not write your own encryption code. And as others have noted, there are fundamental issues with doing such an implementation in Javascript at all.
Please consider the social consequences of pushing encryption which is very likely to be flawed to those who may not know better. If you wish to play (and who doesn't?), then it should be done among people who study cryptography and its implementation for a living.
Thanks for the link, a very interesting read. I've been brainstorming some solutions with a friend and we think that perhaps the problem could present an interesting research project. The idea of digitally signed and verified Javascript, maybe a browser plugin to check these signatures, etc.
That's an interesting idea, but you still have the problem that essentially everything in the browser can be MITMed. Even SSL isn't really secure. Just look at the recent CA incidents or the BEAST exploit.
22 comments
[ 2.9 ms ] story [ 73.7 ms ] thread| SSL will not be helpful here, since no sensitive information is ever sent to this server. All encryption is done BEFORE it leaves your computer!
This made me cry.
And that's not even mentioning that I'm typing a possibly sensitive message into your app and just hoping that you're going to encrypt it with the right key and not read it yourself.
Not only because of the risk of data being intercepted when sent to the server, but also to mitigate the risk of a MITM attack.
I'm not quite sure I understand what you mean by a nopaste-tool?
Thanks for your feedback! :)
Please consider the social consequences of pushing encryption which is very likely to be flawed to those who may not know better. If you wish to play (and who doesn't?), then it should be done among people who study cryptography and its implementation for a living.