On 23/08/13 09:53, DC wrote: > Hi everyone, > > I'm DC, and I've been lurking here for a few weeks :) > > Since the NSA leaks, I've been inspired to work on an old dream: end-to-end > encrypted email. > > One difficult problem in public-key encryption is key exchange: how to get a > recipient's public key and know it's really theirs. > My plan is to make make your email the hash of your public key. > For example, my address is *nqkgpx6bqscsl...@scramble.io > <mailto:nqkgpx6bqscsl...@scramble.io>* > (I borrowed this idea from Tor Hidden Services.) >
This does not improve on the properties of PGP, fundamentally. Without a pre-existing secure channel, knowledge of this public hash is just as susceptible to MitM. You can argue "well my email address is pasted on so many websites, it's infeasible for an attacker to MitM all of them", but you can say the same thing for PGP keys too. In some senses it's even worse because a human has to remember the hash *exactly*, instead of having PGP manage the email<->fingerprint mapping for you. You could write some address book software to improve on this, however. > This lets you build an email system with some nice properties: > * It's webmail. I want something easy to use and understand, unlike PGP, so > that nontechnical people can grok it. > * Webmail has an inherent weakness: if push comes to shove, the NSA can compel > a Scramble server to serve bad Javascript to their users. I want to give users > the option to install the app as a Chrome extension. Same HTML, CSS, and JS, > but served locally, so the server is untrusted. > * You can look up someone's public key from an untrusted server, and verify > that it's actually theirs. > * Anyone can run a Scramble server > * It's open source > * All email between Scramble addresses is encrypted. Both Subject and Body are > encrypted via PGP. > * With some precautions, it's possible to avoid associating your real identity > with your email address at all. This means that even From and To can be > anonymous. > > Feel free to try it out! https://scramble.io/ > > Here's a more thorough description of my design and my > motivations: https://scramble.io/doc/ > Finally, here's a more thorough description of the technical > details: https://scramble.io/doc/how.html > > Thoughts? > Best > DC > > -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
