Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenPGP Implemented In JavaScript

Posted by Unknown on from the what-won't-someone-do-next dept.

angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail." A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)

5 of 167 comments (clear)

  1. Isn't encryption in JavaScript considered harmful? by Anonymous Coward · · Score: 3, Interesting

    http://www.matasano.com/articles/javascript-cryptography/

  2. Key management by DrXym · · Score: 3, Interesting
    So where do the keys get stored? If it's the HTML web storage, does that mean that you can only store keys per domain? Is that even advisable? And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?

    I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.

  3. Re:Who knew? by Anonymous Coward · · Score: 5, Interesting

    The short book, JavaScript: The Good Parts, by Douglas Crockford ....

  4. Re:Who knew? by slim · · Score: 5, Interesting

    It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.

    I used to think this, but I don't any more. The aforementioned Crockford book is the bible on this.

    There is a "pleasant" Javascript community, and what they have done is to separate Javascript into three parts:
      - the good parts -- use them
      - the bad parts -- avoid using them altogether
      - the missing parts -- build acceptable workarounds to these using what's available

    For example, Javascript has a horrible tendency for scripts to pollute the global variable namespace. The community came up with the CommonJS module convention, which solves the problem rather neatly.

  5. Re:Who knew? by aztracker1 · · Score: 3, Interesting

    I'm afraid I have to agree on this one... Recently a programmer was let go because he simply couldn't creatively code his way out of a paper bag. Of course now I'm stuck picking up the slack, but 1/3 of my time was spent helping the other guy, and most of what he got done is what I actually did.

    --
    Michael J. Ryan - tracker1.info