Encrypting Google Calendar With Firefox Extensions

mrcgran writes "IBM's Nathan Harrington has an interesting essay on using open-source tools to ensure privacy on Google Calendar: 'Today's Web applications provide many benefits for online storage, access, and collaboration. Although some applications offer encryption of user data, most do not. This article provides tools and code needed to add basic encryption support for user data in one of the most popular online calendar applications. Building on the incredible flexibility of Firefox extensions and the Gnu Privacy Guard, this article shows you how to store only encrypted event descriptions in Google's Calendar application, while displaying a plain text version to anyone with the appropriate decryption keys.'"

And the ads?

[McGiraf]

I wonder what weird context ads will show up on a gmail page full of encrypted stuff.

afafasdf

[Heem]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

Re:afafasdf

[thrillseeker]

Yes, I'll pay you Tuesday for the hamburger today, as scheduled.

Re:afafasdf

[hostyle]

No I'm afraid the turtle escapade did not go quite as planned. Requesting a vet and some extraction tools. I submit that next time we grease the turtle and not the tubes. TTYL

IBM pays people for this stuff...?

[HappyUserPerson]

I get why this article is on Slashdot (it's kind of cool), but why would IBM pay employees to work on this type of thing? It's impractical for several reasons...

Security & practicality:

1. You must install an add-in to use it. You want to your encrypted calendar with some friends. You tell them "uhh, just install this arbitrary XPI." No thanks.
2. No mention on how to securely transfer the private key to your friends. Email?
3. From your browser, the add-in spawns a shell to run a Perl script which passes arbitrary content to gpg. Security much?

Google:

1. This component is dependent on Google not changing their page. How would you and your friends like to recompile each time Google changes their page?
2. Who are you trying to protect your data from anyway? Google? They could change their page to by-pass your encryption and intercept new events as you post them. If you trust Google not to do that, what's the point? Just mark the entry as private and share it as appropriate...
3. It goes against Google's business. Okay if just a handful of users encrypt their events, no problem. However, displaying a bunch of base64 encoded garbage messes up Google's ads. Which, you know, is virtually their entire source of revenue. In the unlikely event that this technique became popular, Google would be forced to shut it down.
4. Google might shut it down anyway. It's a calendar. It's not for posting arbitrary base64 encoded data. If many users use Google calender for posting arbitrary binary data, calendar would quickly become a lawless file trading platform (think usenet) and create a performance, storage, and/or legal mess.

Been There, Done That

It's been done before. See a college project of mine called the Web Application Privacy Protector (WAPP) or here.

A major drawback is that it's usually very implementation-specific. The plugin has to be updated whenever the web application is significantly updated, and can usually be circumvented by the application provider if they really want. Additionally, encryption eliminates searchability, though there are some mediocre mitigations such as searchable encryption, tags, or searching for hashes of words. Note: WAPP hasn't been maintained since ~5/07, so it likely won't work with current applications without some tweaks.

If you have any questions, my email address is (my first name) DOT (my last name) at gmail.com.

- Gabriel Landau

Known plain-text attacks?

[spankymm]

Monday 9am - doing nothing
Monday 10am - doing nothing
Monday 11am - doing nothing
Monday 12pm - lunch
Monday 1pm - doing nothing
Monday 2pm - doing nothing ...