Encrypting Google Calendar With Firefox Extensions

mrcgran writes "IBM's Nathan Harrington has an interesting essay on using open-source tools to ensure privacy on Google Calendar: 'Today's Web applications provide many benefits for online storage, access, and collaboration. Although some applications offer encryption of user data, most do not. This article provides tools and code needed to add basic encryption support for user data in one of the most popular online calendar applications. Building on the incredible flexibility of Firefox extensions and the Gnu Privacy Guard, this article shows you how to store only encrypted event descriptions in Google's Calendar application, while displaying a plain text version to anyone with the appropriate decryption keys.'"

And the ads?

[McGiraf]

I wonder what weird context ads will show up on a gmail page full of encrypted stuff.

Re:And the ads?

[saibot834]

None, if you not only use this story's extension, but also Adblock Plus.

Re:And the ads?

Are any of these extensions (CalendarEncrypt, Adblock Plus) against the TOS? As much as I believe that you should be allowed to do whatever you want on your computer, when your data is in the cloud the provider can always pull the plug so you better not ignore the TOS.

Re:And the ads?

[omnipresentbob]

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

And then the MPAA is going to go after Google.

Re:And the ads?

[aetherworld]

So your point is that you would NOT use this extension - which enhances your security - because THEN you would see ads for stuff you don't want? Uh-hu...

Re:And the ads?

[vain+gloria]

Are any of these extensions (CalendarEncrypt, Adblock Plus) against the TOS? As much as I believe that you should be allowed to do whatever you want on your computer, when your data is in the cloud the provider can always pull the plug so you better not ignore the TOS.

The cloud is a lie. One we're better off not perpetuating at that. Our data is on Google's servers, under their control and used for their benefit. I realise you're referring unambiguously to this yourself when you talk about breaching their TOS, but I'm against embracing nebulous non-threatening jargon which obscures the true state of our personal information.

As to your point, I have no idea whether these tools are against the TOS. Since everyone includes the proviso that their terms can be unilaterally revised at any time, there's no reason why they shouldn't become so in the future.

Re:And the ads?

[MagdJTK]

eqdauyebguuheqaswgddqjxktrfevamsdessypwnwsngqoxuaqeanwhhjcxeaodnlyhw

Re:And the ads?

[General+Wesc]

Looking for dmgs wcbetc xgamgamqr p?
Find exactly what you want today!
www.eBay.com

Re:And the ads?

[McGiraf]

no i would not use gmail anyway. I'm just wondering what the parser to get the ads would come up with.

afafasdf

[Heem]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

Re:afafasdf

[thrillseeker]

Yes, I'll pay you Tuesday for the hamburger today, as scheduled.

Re:afafasdf

Your confidence in that encryption method is intriguing, Mr. Urrz.

Re:afafasdf

[hostyle]

No I'm afraid the turtle escapade did not go quite as planned. Requesting a vet and some extraction tools. I submit that next time we grease the turtle and not the tubes. TTYL

Re:afafasdf

[strelitsa]

The chair is against the wall.

But ...

BUT ...

John has a SHORT moustache.

Re:afafasdf

ROT13 is a variation of the Caesar cipher, developed in ancient Rome.

Re:afafasdf

[slimjim8094]

Quite. I'd propose to meet you in a fortnight for some crumpets, if you would have it be.

Naturally, we'll need the olive oil as usual.

Re:afafasdf

[Joebert]

42

Re:afafasdf

[speedtux]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

aka

who needs all that crap? Just use this kick-ass encryption method that nobody could ever figure out!

You should patent that encryption method! It's so convenient! I didn't even need a key!

Re:afafasdf

An easily-guessable key is still a key, is it not?

Re:afafasdf

[skeeto]

I didn't even need a key!

His algorithm uses a 5-bit key, but the key space only has 25 valid keys. Therefore, searching this key space is trivial, even for a paper-and-pencil method. In this case he chose the most commonly used key for this algorithm (ROTn), which you happened to also try first: 13 (or in base-2: 01101).

Re:afafasdf

[mrcgran]

The chair is against the wall.

But ...

BUT ...

John has a SHORT moustache.

thanks for presenting me to this wikipedia's article on number stations: http://en.wikipedia.org/wiki/Numbers_station

... "In the 1984 film Red Dawn, a band of high school guerrilla fighters hears two code phrases (each repeated twice) broadcast over the radio as they hide out in the wilderness. The phrases are: The chair is against the wall and John has a long mustache (the latter of which was actually used as a code-signal by the French Resistance during World War II)."

IBM pays people for this stuff...?

[HappyUserPerson]

I get why this article is on Slashdot (it's kind of cool), but why would IBM pay employees to work on this type of thing? It's impractical for several reasons...

Security & practicality:

1. You must install an add-in to use it. You want to your encrypted calendar with some friends. You tell them "uhh, just install this arbitrary XPI." No thanks.
2. No mention on how to securely transfer the private key to your friends. Email?
3. From your browser, the add-in spawns a shell to run a Perl script which passes arbitrary content to gpg. Security much?

Google:

1. This component is dependent on Google not changing their page. How would you and your friends like to recompile each time Google changes their page?
2. Who are you trying to protect your data from anyway? Google? They could change their page to by-pass your encryption and intercept new events as you post them. If you trust Google not to do that, what's the point? Just mark the entry as private and share it as appropriate...
3. It goes against Google's business. Okay if just a handful of users encrypt their events, no problem. However, displaying a bunch of base64 encoded garbage messes up Google's ads. Which, you know, is virtually their entire source of revenue. In the unlikely event that this technique became popular, Google would be forced to shut it down.
4. Google might shut it down anyway. It's a calendar. It's not for posting arbitrary base64 encoded data. If many users use Google calender for posting arbitrary binary data, calendar would quickly become a lawless file trading platform (think usenet) and create a performance, storage, and/or legal mess.

Re:IBM pays people for this stuff...?

Ever heard of "IT consulting"? IBM's consulting divisions earn >$40 Billion (yes with a B) per year. Clients worldwide deploy an incredible variety of software, especially in SMB (Small and Medium Business).

Securing client environments is often mission critical and can pay big. $$$$$

Re:IBM pays people for this stuff...?

[smallfries]

Under Security & Practicality you missed a few points:

4. It leaks information. The encrypted version shows when you are busy and free
5. There's no point using a 4096-bit key. Most calendar entries are 60 characters so the key size is overkill given there is probably less than 360 bits of entropy
6. Calendar entries are highly regular, a dictionary attack would be tractable regardless of the key-size because of the limited input space

Re:IBM pays people for this stuff...?

You must install an add-in to use it. You want to your encrypted calendar with some friends. You tell them "uhh, just install this arbitrary XPI." No thanks.

If they don't trust the (open-source and peer-verified) extension, they could just copy&paste it to PGP.

No mention on how to securely transfer the private key to your friends. Email?

That's a valid point. PGP wasn't designed for broadcasting content (without encoding to every recipient's key).

From your browser, the add-in spawns a shell to run a Perl script which passes arbitrary content to gpg. Security much?

That's a real WTF. They could have just used FireGPG.

Who are you trying to protect your data from anyway? Google? They could change their page to by-pass your encryption

They never get to see the unencrypted content, do they? Or do you mean Ajax keylogging? You can't conceal that, and Google still has some reputation to lose.

Isn't obfuscation enough for most people?

[Mathinker]

Frankly, I think most people don't need military grade encryption for their calendar, they just need to be able to obfuscate some of the entries in a repeatable fashion (so you can search for obfuscated events) which is not trivially unobfuscated by Google (or any others, e.g., governments, who would like to search everyone's calendar for particular keywords).

For most people, even the "Leet Key" extension is overkill.

I've been thinking about this, have even worked up a Javascript-based very weak, keyed, repeatable encryption (base64 encoding + single letter substitution) which I was planning one day on posting to Sourceforge. I guess I should get moving on that....

Re:Isn't obfuscation enough for most people?

[smallfries]

Errr, what keywords do you think governments would like to scan calendars for? I don't think there is much of a market for online calendar services for drug dealers or terrorists:

11pm Pick up 2kg of uncut cocaine
Weds [all-day] Cut the coke

or

Fri 9am Blow myself the fuck up outside the library

??? I mean, I can see your point that this overkill. I'm just suprised that you offhandly show such paranoia :)

Re:Isn't obfuscation enough for most people?

[Mathinker]

> what keywords do you think governments would like to scan calendars for?

Donno, say, the local DA has just managed to convict P. Ed Erast for child porn, and he says to himself, 'Hmm, maybe I should run a scan on everyone's online calendars for the phrase "P. Ed Erast"?' He can't do that legally in the US, but that doesn't mean he might not want to do it.

> I don't think there is much of a market for online calendar services for
> drug dealers or terrorists...

That's a funny strawman, thanks for the chuckle, but in the end it is a strawman. Do you actually think, given what kind of data-mining measures are being pushed by the US government in the name of "think of the children/terror", that they would disagree to add calendar info to their trove?

Even if you are right, and my mention of governments was a bit over-the-top, you have to admit that I did mention Google as the major "threat" here. I log certain health-related events in my online calendars, but I don't do that in cleartext. By having this ability for obfuscation, I can squeeze more use from that resource than I otherwise would be able to, and I have more control over the profile that Google and other online services are compiling on me.

I also obfuscate some of my entries in Google Notebook and Google Docs. Paranoia? Perhaps. But probably not much more than many people who make security a career (which I don't, it's only a hobby with me).

Been There, Done That

It's been done before. See a college project of mine called the Web Application Privacy Protector (WAPP) or here.

A major drawback is that it's usually very implementation-specific. The plugin has to be updated whenever the web application is significantly updated, and can usually be circumvented by the application provider if they really want. Additionally, encryption eliminates searchability, though there are some mediocre mitigations such as searchable encryption, tags, or searching for hashes of words. Note: WAPP hasn't been maintained since ~5/07, so it likely won't work with current applications without some tweaks.

If you have any questions, my email address is (my first name) DOT (my last name) at gmail.com.

- Gabriel Landau

Re:Been There, Done That

> my email address is (my first name) DOT (my last name) at gmail.com.

Hey, I just tried "anonymous.coward@gmail.com" and it bounced.

It's good to see PGP in use.

[SignOfZeta]

I've been using GPG for years, and it's very rare that I run into someone else who uses it. It's refreshing to see it making a comeback! I don't use Google Calendar (nothing against it, but I prefer iCal), but this is quite a novel approach to encryption.

Re:It's good to see PGP in use.

[muckracer]

1.
> it's very rare that I run into someone else who uses [GPG]
2.
> It's refreshing to see it making a comeback!

1. Why do you think it is that way?
2. What IYHO has changed compared to 1 and what still needs to happen?

Re:It's good to see PGP in use.

[SignOfZeta]

1. I think the proliferation of webmail and AOLers has put the proverbial fork into anything that can't be simplified in its entirety to a toolbar button. You can click a button to sign and encrypt messages, sure, but you can't quite click a button to generate a key, sign someone else's key, send and receive from keyservers, etc.

   Oh yeah, and no one seems to care, despite companies trying to think of new ways to verify that they are the sender of an email. AOL has their "Official AOL Mail", and everyone else has a separate inbox for you after logging in. Well, what's more verifiable than PGP and a key with a lot of signatures? Before we set up your cable TV account, will you promise to sign our PGP key?

2. Instead of MD5 sums and such, people are starting to sign downloads with GPG. Now, if only the Microsofts and Apples of the world would recognize PGP as a valid form of digital signatures on an application, that would be a huge step forward.

   Sure, the geeks (such as myself) love it, but PGP and GPG aren't going to take off until they can (a) build the functionality into webmail, (b) sell said functionality to Google, Yahoo, Microsoft, Apple... who am I forgetting... and (c) simplify things so that even Mr. and Mrs. Everyman know how to use it.

This is all very nice...

but it doesn't encrypt the dates and times of events. Sometimes you may want to hide/encrypt the fact that you have a scheduled event at a certain date and time, regardless of what the event is.

Known plain-text attacks?

[spankymm]

Monday 9am - doing nothing
Monday 10am - doing nothing
Monday 11am - doing nothing
Monday 12pm - lunch
Monday 1pm - doing nothing
Monday 2pm - doing nothing ...

Re:Known plain-text attacks?

[iminplaya]

Well, lucky you, that you only have to work five hours.

Re:Known plain-text attacks?

Of course this doesn't work against PGP.
You have the public key available, so you can generate as many encrypted files with known plaintext as you want.

Re:Known plain-text attacks?

Monday 9am - slashdot
Monday 10am - coffee break
Monday 11am - p0rn
Monday 12pm - lunch
Monday 1pm - slashdot
Monday 2pm - meeting with pointy haired boss

-----BEGIN PGP MESSAGE-----

-----BEGIN PGP MESSAGE-----

jA0EAwMCD6Y+QCwY0/FgyTlt8ESEN4oD1H0M+beKVPhhI3v7OuR+NFvijvMxgse/
PlEXghVvODDeLtU6vhn1vrqIIRjYCQHzMDw=
=CoEf
-----END PGP MESSAGE-----

Why bother doing this?

Why bother doing this? Why not just store a .ical file in an encrypted container on amazon's S3 service for about $0.000001/month and read it with everything?

sms

and what will happen to sms reminders... probably one of the best reasons for using googcal instead any pc app.

Long live Caesar!

[mrmeval]

W twuifsr wh cih obr fch 14'r awbs pippo

Re:Long live Caesar!

I figured it out and rot 14'd mine bubba

Actual ads from Google

[Xtifr]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

Just out of curiousity, I posted that into a new email with gmail, saved it to my drafts folder, then went to look, and the "context" ads that appeared are:

Secrets of the Shaolin
Rare Chinese Scriptures Translated Released for 1st Time Ever

Try Tai Chi QiGong
Live A More Active & Fuller Life, DVD/Videos, Free & Fast Shipping!

Coconut Soup (Tom Kha)
Made with Fresh Coconut Milk Loaded with Lemongrass and Galangal

Chi Kung Resources
See How Chi Kung Can Empower You. Learn How Today!

BE a Yoga Teacher
Teacher Trainings for Women Sip the nectar of Prana in Baja

So, apparently, if you encrypt your data, Google thinks you're speaking some Asian language, but isn't exactly sure which one. :)

Re:Actual ads from Google

[ftobin]

Well, it makes sense that if you are swapping for letters on the other side of the alphabet, you might end up with a language for the other side of the world.

Mod parent informative

(nt)

SIMPLER: Why Not use httpS

[Mana+Mana]

https://www.google.com/calendar/render?pli=1

Re:SIMPLER: Why Not use httpS

[friedmud]

Agreed... I use https for all of my Google stuff. I can't believe people do it any other way. The 3 main apps I use with it are:

GMail
Calendar
Google Docs

I can't believe that people actually use GMail and Google Docs _without_ using https! That is a lot of personal junk flowing over unencrypted pipes.

I have to agree with my sibling poster... why doesn't Google encrypt all services that can carry sensitive information by default? Just doesn't make sense.

BTW: Even Google Gears (used for offline google docs for one) can use https.

Friedmud

Re:SIMPLER: Why Not use httpS

Because this doesn't encrypt your data on the server... It only encrypts your data in transmission.

Apropos

[Mana+Mana]

Why does Google NOT allow you to use all their services securely, i.e., TLS/encrypted???

Last I looked only Gmail and Gcal are able to be encrypted: httpS.

Why, with their ginourmous resources cpu power should be trivial. WTF?

And at least in most Europe and the USA legal issues, snooping should be moot.