[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNU/consensus] PGP as web standard
|
From: |
senya |
|
Subject: |
[GNU/consensus] PGP as web standard |
|
Date: |
Thu, 11 Dec 2014 05:13:36 +0300 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 |
Hello!
Many social platforms have web-interface. For example Diaspora* is a
quite nice and free software friendly project and it is based on web
technologies.
Web proves that it is convenient technology, but it lacks one major
point - it doesn't have support for end-to-end encryption. Even in such
a friendly thing as Diaspora there is no way to keep a conversations
private from pod admins, and I see no simple way to implement it.
Of course, we can use javascript to implement a browser side encryption.
But javascript programs are not trustworthy enough, because they are
loaded from a website on its load and could be changed easily by a 3rd
party (e.g. node admin) and it is hard to control whether they weren't
tampered. Encryption is too sensitive for javascript.
So we need the software to be received from trusted source. Just like we
receive browser from the repositories of our GNU/Linux system, which are
trusted and have some ways to prove the software was not modified.
We could use browser extensions to implement end-to-end encryption, but
they hardly can be convenient, because they will always lack some
important information, for example information on your recipient, that
could be received only with the help of the website. This information is
required to implement such useful things as automatic key selection for
the recipient.
So the problem of end-to-end encryption in web-based software requires
that browser interacts with the website receiving required information,
but all the software that does the encryption loads from the computer of
user, not from the Internet at web site load time.
All that led me to the idea, that implementation of end-to-end
encryption in web technologies should be a part of web standard, so the
rules of interactions between website and browser encryption module is
defined strictly. For example, it could be defined as special kind of
forms, that is filled by user with unencrypted text, but when you submit
the form, browser really sends it PGP encrypted using key, that is
determined by the context (you are in a web chat with certain
recipients). This also can help in providing some extra security for
this text blocks, because browser could isolate unencrypted text from
any javascript, that may want to read it.
So, here is my question to you, as a social networking project members.
Have you ever though of necessity of realizing end-to-end encryption as
part of web standard? Do you think it is possible to push? Maybe it is
nevertheless possible to implement end-to-end encryption with some
javascript using some extra security and isolation measures? Or maybe
you have some other ideas how to implement it, that I didn't think of?
- [GNU/consensus] PGP as web standard,
senya <=