Re: [Sks-devel] Encrypt.to searching for beta users

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12/09/2013 01:37 PM, address@hidden wrote:
> Hi Stephan,
> 
> Thanks for your feedback. That's right, the user needs to trust
> the service. The toolchain is open source http://openpgpjs.org/ and
> you can review the JS code. How does the "End" in end-to-end looks
> like? Instead of using a mail plugin it's a website which runs JS
> code in your browser. Clear a PGP user knows how to encrypt a
> message on his PC, but if my non geek friends would like to send me
> an encrypted message without knowing PGP, I provide them one link
> and that's it. And how do you send an encrypted message without
> your PC? :)
> 
> Regards Jan
> 
> 

Granted this whole discussion probably belongs somewhere else, but
since we're first on the topic, let me chime in my two cents.

First of all, any encryption done in a browser will at least have to
be done in a browser extension that does not auto-update. One thing is
whether one trusts a service today, but if tomorrow some completely
different JS can be injected (or only injected based on e.g. IP
address, or other identifiers for a specific user, which we have seen
some cases of) then it can't be trusted.

Second, key validation. Your friends (or friends of anyone using the
service) would have to carry along a phone-book of fingerprint, key
types and sizes for each recipient. Other than the short key ID I
don't see anywhere where this weebsite provide information useful for
key verification procedures.Not even after encryption; What happens if
there is a short keyid collission? and is there a way to verify the
structure of the encrypted message before sending? (similar to gnupg's
- --list-packets)


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Nil satis nisi optimum
Nothing but the best is good enough
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSpbu0AAoJEAt/i2Dj7frj/C8P/3Ee8u7rUiO6TluwkBSCuksf
jXBqMTPjYq+Z1OfBaolYnix9n779ADxk/E2OHdEbVGeoMUwwld2IQURVR3zWt4Mi
CVDx9kwNlbm9FoMOR31fKwh5gbiGx4icmt/dbOeuiD6MjQL4MZIkp0QYvB3POzoQ
fNGu0JdPcYFJ3V4NZxF+uuzqC4GcNaXcwNLJGPGeRUtVGZSDIo7uyRRTGOOkQtZS
ifj52cYRvWUa3EomtaZjzP6j+KspOtj3QLtta8QOFiRt/+Jc8LVdQ/by9ykuWOtQ
c3Kdcha5cigNzUIEvIneuYzKbXAnmZ7aFvoESx82QP5j3E+zgt7x+r3R3jYRy+qb
/Ks9TDDl9cqVpBQ/Lrb78ubtNINpA6HWnY8b+x391kK5oi1swMHakDabiWT+8LIP
rV2a3WDRCEiKUDpYZQZxtsUg4BTdw26TjRZ+ciEK8FiJQJAktltMu6Ou6NRcIKYA
Eyyg3jEGglay7gcb6DrAgqSYIbBlmRryM095XeqNtU25XkJeBoavEB2kRQtqxu8G
SEmjLc/J1inDBiBWTuor2/Wq/hEAa+YLBOfKOO5gD1n4S61sNYxoYI4382L8cDIO
f6wMzx19soFZ9BJXk1vwPJ96YBwaObKCOjcRcDjuQK97ZPu7++kT6q9fqiWsPQug
IgJGFzUqwOzN7P6ljzBm
=/Yr+
-----END PGP SIGNATURE-----