OpenPGP Implemented In JavaScript

← Back to Stories (view on slashdot.org)

OpenPGP Implemented In JavaScript

Posted by Unknown on Monday November 21, 2011 @10:32PM from the what-won't-someone-do-next dept.

angry tapir writes with this excerpt from Tech World: "Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages. Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with GMail." A quick gander at the source leaves me with the impression that it should be more or less portable to other browsers. It's also built using a lot of off-the-shelf Javascript libraries. (Who knew Javascript had a bignum library and a number of cipher implementations?)

30 of 167 comments (clear)

Min score:

Reason:

Sort:

Who knew? by Pieroxy · 2011-11-21 22:36 · Score: 4, Insightful

who knew Javascript had a bignum library and a number of cipher implementations
Those that know JavaScript?
And I don't mean the kids copy/pasting stuff found on the web, but real people working with JavaScript and having knowledge of the language, libraries, etc.
The biggest problem with JavaScript is that the world is plagued with kiddos that think they know JavaScript when all they know is how to search their needs on Google and copy/paste from there.

--
Write boring code, not shiny code!
1. Re:Who knew? by LingNoi · 2011-11-21 22:42 · Score: 4, Insightful
  
  Ah yes, the stereotypical programmer.. You're either a genius or an idiot. You must be real fun to work with.
2. Re:Who knew? by Anonymous Coward · 2011-11-21 23:37 · Score: 5, Interesting
  
  The short book, JavaScript: The Good Parts, by Douglas Crockford ....
3. Re:Who knew? by marsu_k · 2011-11-22 00:16 · Score: 2
  
  JavaScript is a fad that's on its way out.
  Which is why node.js is constantly losing popularity and dynamic web pages are being replaced by static ones, right?
  (For the record, this dipship knows more than JS, but thinks that JS, with all its flaws, is mainly misunderstood and especially taught wrong. But many of the flaws could be rectified with the adoption of Harmony - but, while other browsers are quite quick in adapting new technologies, IE will probably prevent the change for many years to come)
4. Re:Who knew? by slim · 2011-11-22 00:17 · Score: 5, Interesting
  
  It can't be done. The problem is that the language itself is so horribly broken that anything built upon it, be it libraries, applications, tutorials or books, will inherently be horrible, too. JavaScript just can't be salvaged. It needs to be discarded.
  I used to think this, but I don't any more. The aforementioned Crockford book is the bible on this.
  There is a "pleasant" Javascript community, and what they have done is to separate Javascript into three parts:
  - the good parts -- use them
  - the bad parts -- avoid using them altogether
  - the missing parts -- build acceptable workarounds to these using what's available
  For example, Javascript has a horrible tendency for scripts to pollute the global variable namespace. The community came up with the CommonJS module convention, which solves the problem rather neatly.
5. Re:Who knew? by Anonymous Coward · 2011-11-22 00:37 · Score: 5, Funny
  
  The short book, JavaScript: The Good Parts, by Douglas Crockford ....
  A book on JavaScipt's good parts is short?! I am shocked, sir!
6. Re:Who knew? by Zero__Kelvin · 2011-11-22 01:06 · Score: 4, Insightful
  
  The fact remains that a large majority of programmers today would do the world a service by changing careers. The industry is flooded with programmers who cannot program.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
7. Re:Who knew? by aztracker1 · 2011-11-22 03:17 · Score: 3, Interesting
  
  I'm afraid I have to agree on this one... Recently a programmer was let go because he simply couldn't creatively code his way out of a paper bag. Of course now I'm stuck picking up the slack, but 1/3 of my time was spent helping the other guy, and most of what he got done is what I actually did.
  
  --
  Michael J. Ryan - tracker1.info
8. Re:Who knew? by aztracker1 · 2011-11-22 03:20 · Score: 2
  
  This is from my own blog... JavaScript Books That Should Be Required Reading, and still pretty relevant.. there are also a couple of APress books for more advanced topics. Also, if you are interested in the language itself, getting into NodeJS, or MongoDB isn't a bad way to do it out of the browser.
  
  --
  Michael J. Ryan - tracker1.info
9. Re:Who knew? by Scaba · 2011-11-22 05:04 · Score: 5, Insightful
  
  JavaScript is a fad that's on its way out. The same thing happened to Ruby due to Ruby on Rails. The Ruby hype really started taking off around 2006, but by 2010 people realized how shitty Ruby and RoR actually are. That's why we hear almost nothing about either of them these days. The same thing is happening to JavaScript, although it's delayed slightly. It really started taking off around 2008, so it's a couple of years behind Ruby. By 2013, it's likely that JavaScript and its advocates will be widely shunned, too.
  2008? JavaScript gained widespread popularity around mid-1996, so by your reckoning it should have faded away sometime in 2001. Like all languages, JavaScript has its warts and WTF moments, but it is the poor craftsman who blames his tools, especially if those tools are being used by millions of other craftsman around the world to create all manner of novel and useful applications (to admittedly varying levels of quality, but again that's more about the developer's skill level than the language itself). Solving the JavaScript problem is a simple five-step process, though: create the One Perfect Language, convince the major browser manufacturers to include a flawless implementation, get all of the current JS developers to learn to code in it correctly, rewrite all existing codebases in it, and make the entire world upgrade their browsers. Done! Now, what's for lunch...?
10. Re:Who knew? by olau · 2011-11-22 07:17 · Score: 3, Insightful
  
  Douglas Crockford has some weird recommendations that seem to come from him being bitten by evil hacks by a real nutjob once upon a time (maybe himself?). I don't think he represents the majority of Javascript programmers.
  It's a bit like if you were in a C++ team and someone thought it would be fun to overload the + operator to do weird things on ints. Afterwards you're so scared that you go around advocating people use c_mathlibrary_plus(a, b) instead of using + since someone might have hacked the +. IMHO that's not relevant advice for most people.
  Of course, some people think that languages where you can mess with things are evil. But it's not that easy. To take the operator overloading example: If you've ever tried expressing an algorithm involving lots of vector and matrix math in a language that doesn't allow overloading of operators, you'll see what I mean. It's true, of course, that most of the time you should stay far away from that sort of magic, and it's just plain stupid that C++ hints that frivolous operator overloading is okay by doing it in the standard I/O library.
  Same thing with Javascript. The basic stuff will get you through 99.9% of the cases.
Re:SINCE WHEN IS HONEYCOMB A DESSERT ?? by Pieroxy · 2011-11-21 22:37 · Score: 2, Funny

I want to know who at Teh Google screwed that one up !!
Some group of bears maybe?

--
Write boring code, not shiny code!
Isn't encryption in JavaScript considered harmful? by Anonymous Coward · 2011-11-21 22:57 · Score: 3, Interesting

http://www.matasano.com/articles/javascript-cryptography/
Re:Yeah right by Chrisq · 2011-11-21 23:01 · Score: 4, Informative

Where do you get it that anyone but you has your private key? From TFA:

A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.
Whats this obsession for everything in Javascript? by Viol8 · 2011-11-21 23:01 · Score: 4, Insightful

In the last year or so suddenly everyone seems to write everything in javascript whether appropriate or not. So these guys really think the future of development lies in the browser which will what, replace the OS as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate browsers with their own quirks and bugs, poor performance and ultimately limited functionality.
So other than "to see if it can be done" what exactly is the point of these projects? However much webdevs might like it to happen, javascript won't be replacing Java, C++ or C# anytime soon for serious development.
Re:Not just webmail by Chrisq · 2011-11-21 23:05 · Score: 2

Could be used for web forums too.
Only to sign the message (Or you must encrypt the post for everyone authorized to see it )
Or on slashdot: -----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
IgDEb1NeXZ499qnSY1ZvCy/VCF1O7H71y77VQTckpfyHgWvzkaaaheMC0r+JGLZO
0w3NCTERFJ8XaXKz/+qw4gA7xxbpT9nXVXMwEwYgiAviJBJhdYw63oTlRYGgGzPh
H2YVNv2TWnpWp816xi+sbM1ZsJJERnAZSADKFYZzYw4E73VhUlrX5YBY4WN7UmQw
yg73zfJYBuJ8+HymPhUUNH7KFqT5T2Cv4TRJgeWvxAgA3/bSCxncZ640z7KlMCMk
IskJkKRau6jeLJZKheZnyBoYiJLuJw+4FeOIkpk3ZKbWzk18kFT47x5kZA051g/p
A300n5ivHauHQz8jVTXBNF800YtkknB4+H9q5lnVYik0JsPLKGX+/sjEJ01iWaWl
wBC3poSYT+l63wNO73CDhx4VbpOzLgzbyNB6O67iuiQm2D9hLwk8L4YPOoMlfwyM
kUmsZUX709sMBHZN/9aniaVBsLxszHw9xu5OuSz/lHkckplcwb94XDLh1KGGO+1Q
LzbpFYPqe3BANLK5xxlQAAti/uk0XYltVJfUOCzyxl282X3Tp/77FtiGGb8RI1HY
hslojkAQa9gK1+f44Y8LwHH5k7fQr+Q+luqP7inoEQWbpWW4hu80Wkafv/bzI/xu
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz+q
M8RkPBZIBge0SVY=
=WznL
-----END PGP MESSAGE-----
Re:Whats this obsession for everything in Javascri by Anonymous Coward · 2011-11-21 23:08 · Score: 3, Informative

Email encryption (OpenPGP and SMIME ) is done on the client side. People have to use to email client softwares ( outlook, thunderbird ..etc) to encrypt/sign their messages.
The problem, what if you dont wanna use an email client ?
The solution
1 - Do it manually ( copy, encrypt/sign , past)
OR - Implement it on the "new" client software (ie: the browser )
The reason of javascript is that chrome extensions are written in that language ( and every browser support it ). Maybe other releases will be implemented in other languages that integrate to browsers ( Dart ? )
Key management by DrXym · 2011-11-21 23:09 · Score: 3, Interesting

So where do the keys get stored? If it's the HTML web storage, does that mean that you can only store keys per domain? Is that even advisable? And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?
I think for reasons of trust that if you were to use js PGP that it should be from a browser extension that could be reviewed and be within your control to some extent. Or better yet if the js became a core part of a browser where the code could be implicitly trusted. I'd love to see something like Firefox support go further and use a lib like this so unsigned certs could instead describe a web of trust via PGP and modify the manner in which Firefox presents such certs to a user. CAs are the biggest racket on the web and are IMO the biggest impediment to https being the default protocol for web activity.
1. Re:Key management by Anonymous Coward · 2011-11-22 00:47 · Score: 5, Funny
  
  So where do the keys get stored?
  They get stored in the Article.
  
  does that mean that you can only store keys per domain?
  That is also in the Article.
  
  And what stops a compromised site from lifting your keys while it's about encrypting or signing a message for you?
  
  Try reading the Article.
  
  I think for reasons of trust that if you were to use js PGP
  And I think that before you start spouting off with an opinion, maybe you should, you know, read the article so you have a clue what the fuck you're talking about.
Re:Not just webmail by MichaelSmith · 2011-11-21 23:12 · Score: 2

Gives me an idea for a forum which is just a constant stream of encrypted content. Clients decrypt any content they can.

--
http://michaelsmith.id.au
Re:Isn't encryption in JavaScript considered harmf by sverdlichenko · 2011-11-21 23:13 · Score: 2

No, it isn't. This article implicitly assumes user trusts server with everything or not at all. Not a case with GMail: in most attack models I can perfectly assume Google will deliver me correct Javascript code over SSL, but never trust it with securing my email content. Account hijacks are quite usual and replacing code on GMail servers is completely another thing.
Re:Isn't encryption in JavaScript considered harmf by Chrisq · 2011-11-21 23:14 · Score: 4, Informative

http://www.matasano.com/articles/javascript-cryptography/
The above was written by someone without an understanding of public key cryptography. All you need to do is ensure that the crypto JavaScript is delivered through a secure channel. Once you have done that you can publish a public key on an insecure site and allow people to send data to you which cannot be intercepted. You can also let them generate a key pair and send you the public key, after which you can send them a response.
Re:Whats this obsession for everything in Javascri by Anonymous Coward · 2011-11-21 23:22 · Score: 2

Plagiarist! Almost this exact comment was made 20 years ago:
In the last year or so suddenly everyone seems to write everything in C whether appropriate or not. So these guys really think the future of development lies in the windows interface which will what, replace the command-line as the top level development platform? Sorry , but thats rubbish. It aint gonna happen. Too many disperate GUIs with their own quirks and bugs, poor performance and ultimately limited functionality.
So other than "to see if it can be done" what exactly is the point of these projects? However much appdevs might like it to happen, C won't be replacing assembler, Forth or Fortran anytime soon for serious development.
"Wow, there's really no limit to what JS can do!" by dingen · 2011-11-21 23:25 · Score: 5, Insightful

News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?

--
Pretty good is actually pretty bad.
The real point is... by PSVMOrnot · 2011-11-21 23:59 · Score: 2

News flash: turing-complete programming languages can be used to created anything. Why is it news when another random project is done in Javascript?
Ah, the old Turing-complete chestnut. Just because something is possible, does not mean it is feasible, practical, or easy. It's probably possible to code it in brainfuck, chef, lolcode or a bunch of rocks but no-one in their right mind would want to.
What's really interesting about this is that it now brings PGP to almost device with a browser - that is: those with browsers which have javascript support. This gives us such joys as iPhones with PGP that Apple can't suddenly decide they don't want people to have.
FireGPG by fwice · 2011-11-22 00:08 · Score: 2

How is this different from FireGPG? With the exception that this is still in development versus the stall in FireGPG?
Re:Isn't encryption in JavaScript considered harmf by Nerdfest · 2011-11-22 00:15 · Score: 2

This is something that webmail has need for ages. Encrypted email is relatively easy to implement, and is free, but webmail makes it difficult to do without handing your keys over to a third party (GMail, HotMail, etc). This solves the problem nicely. It would be great to see this, or something similar widely adopted.
It's not that easy: side channel attacks by Anonymous Coward · 2011-11-22 00:23 · Score: 2, Interesting
Generally speaking, porting cryptographic implementations between systems is not as easy as "do both implementations produce the same output for the many test inputs tried?".
Proper implementations will mitigate against side channel attacks by:
- Ensuring loops within crypto implementations execute in constant time regardless of the input (both plaintext and key)
- Ensuring keypresses are obtained on a poll cycle as opposed to being handled on each interrupt (if the key is inputted via keyboard)
- Ensuring that keypresses are sent securely from the kernel to a lightweight userspace application that performs the encryption/decryption
- Avoiding the storage of key material or plaintext in memory where upon deallocation (this could occur without the application having a chance to exit gracefully and overwrite the memory), another process can read the now-free memory region to obtain the key or plaintext
- Ensuring there is no doubt as to the validity and trustworthiness of passphrase prompts
I'm skeptical as to whether a web browser implementation (in JavaScript, not part of the browser itself) can address the issues listed above.
Re:Isn't encryption in JavaScript considered harmf by Martin+Blank · 2011-11-22 05:08 · Score: 3, Informative

Hushmail lost a lot of credibility a few years ago when it turned out that its most commonly-used encryption method that ran server-side was delivered in a modified state at the request of government agencies. Yes, there are issues with trusting anything server-side, but its promises started sounding hollow when the CTO openly admitted it.
If you built your own applet from the public source code, the interception was not an issue, but if you used the easier mechanism hosted by Hushmail, you were at risk of your mail being decrypted and turned over.
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

--
You can never go home again... but I guess you can shop there.
Re:Whats this obsession for everything in Javascri by drfreak · 2011-11-22 14:10 · Score: 2

Link-level, yes. However, what if google's certificate got hacked? With your emails signed and encrypted (especially on the client side) it would add en extra layer of security.