Re: PGP/GPG does not work easily with web-mail
PGP actually does work well with web mail. There are two libraries which do pgp encryption, there are 3 that I know which do AES-SHA256-CBC-PKCS7. There are at least two libraries which do pkdf2 sha 256. There is also one library which does AES-SHA256-GCM, but I'm not sure if it does pkcs7 or not. (or whether padding is incorporated into GCM, need to research). Looking up keys on a pgp key server is trivial, registering a key is also trivial. --- However there are some legitimate concerns. The most important to my mind are javascript injection attacks. For instance, let's say the NSA takes over your web-mail server. You think, "well my users' data is fine, because all of the encryption is happening client side, I never see any of the keys, etc." However the NSA could *force* you to place code inside your server which tells the client to send the keys to you randomly. This would be difficult (not impossible) to detect, and when executed *once* would completely destroy the privacy of the target machine forever. Generally these days, (at least the conversations I've been reading), people are talking about making "plugins" out of the client side code and protecting them through the app store. So, I download the app for the client, I check it's signature. It *NEVER* downloads code again. I think there are some other solutions to this problem, which I could babble about, but won't right here. However, there are still attacks. For instance, I'm the NSA, I've spent the hours necessary reading through your code to know that if I write you an email with SO-and-SO pattern, when you display that e-mail my script will be run. That script then would destroy the privacy. This is a very hard attack to guard against. --- In my webmail I'm developing (I wrote one previously using GWT which was too complicated, too difficult to maintain and enhance, this one is much simpler). My goals are three fold: 1. raise the cost of the NSA exponentially. I want them to have to spend considerable time for each target, instead of just "hey Google, give me these 20,000 peoples' email." 2. re-normalize the idea of privacy. Google has pretty much destroyed privacy. And they are trying to destroy anonymity as well. I believe it is important to have by this year's end at least 10 services running which re-normalize privacy in e-mail. Each service hopefully will castigate Google and call them for what they are. 3. give "good" security. Nothing will protect you if you are *actually* some terrorist or something, but it would be nice if we weren't being big-brothered *all* of the time. --- I encourage you to look at those others people referenced. Also, if you care to, take a look at mine as well. https://github.com/timprepscius/mv If you need any help setting up a server, let me know. If you are versed in sys-admin, it should take 5 minutes to get a VM running, or use something like DigitalOcean. The benefits of my server, (I think), is that you should be able to change how it looks and feels without changing any of the fundamental code. Meaning you can change the html templates and css and what not, and it will still function correctly. It uses Backbone, so the rendering is clearly separated from the code/models. Anyhowz, If you are looking for perfect security, web mail is not the way to go. Hopefully a plugin will be able to provide near-ish the same security that a standalone program with no javascript interpreter might. But that doesn't mean that PGP WebMail won't be a billion-million times better than gmail. (can't wait to leave it! so close, soon soon) Good night, -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
request for pgp encrypted messages for testing
Hey there, As I've said before, I'm working on a PGP based web mail program. https://github.com/timprepscius/mv The whole thing is GPL-Affero. Copy, steal, add, reduce, as you wish. Demonstration is here (which is often killed/reset/etc/so...): http://pmx.mooo.com/ And some screenshots: http://tinypic.com/r/2ljmj9i/8 http://tinypic.com/r/4vp7hu/8 Also, if anyone is interested in what the db looks like (without actually setting it up for yourself) http://pmx.mooo.com/mv/util/Dump - At this point I'm at 100% for testing signatures of messages (both inline and pgp-mime). (Prob actually 95% but not enough test cases yet.) I need more messages testing encryption. I have found a few bugs in openpgpjs concerning mime signing, and am dubious that it will function perfectly with pgp-encryption. If anyone here would like to help, please send an encrypted message to: g...@pmx.mooo.com g's public key is here: http://pastebin.com/raw.php?i=RAi8cfjC If you would like your message to be placed in a public repository of these messages, please include that in the encrypted block. Please send whatever you'd like, html/text/attachment/etc. My email address is timprepsc...@gmail.com. You can let me know through the gmail if mooo does not go through (I'm using postfix default settings) Thank you to those who have already helped, and thank you all for your time previously (with regard to the mime signing issues) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: checking signature of pgp mime
It turns out Doug Barton's ppf_mime was able to generate the block + sig. So, I have a working example. Thanks for your time, -tim On 4/4/14, Tim Prepscius wrote: >> On Thursday 03 April 2014 15:06:57 Tim Prepscius wrote: >> > Greetings, >> > >> > So as I said before, I'm working on a pgp base web mail app: >> > https://github.com/timprepscius/mv >> > >> > I am having problems validating the signature of a small percentage of >> > test cases. However GPG with apple-mail says the signatures >> > checkout, soo... I'm obviously doing something incorrectly. > >> KMail also says that the signature matches. > > Does KMail (or any other mail application) allow the user to get a > dump of the signed portion of the message? > > (apple mail doesn't and the gpg debugging doesn't include it). > > I need to get a hex dump of what was successfully verified. > I've spent many an hour now removing a little white space here, a > little white space there with no verified signature. (using a > signature block in a detached file) > > -tim > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: checking signature of pgp mime
> On Thursday 03 April 2014 15:06:57 Tim Prepscius wrote: > > Greetings, > > > > So as I said before, I'm working on a pgp base web mail app: > > https://github.com/timprepscius/mv > > > > I am having problems validating the signature of a small percentage of > > test cases. However GPG with apple-mail says the signatures > > checkout, soo... I'm obviously doing something incorrectly. > KMail also says that the signature matches. Does KMail (or any other mail application) allow the user to get a dump of the signed portion of the message? (apple mail doesn't and the gpg debugging doesn't include it). I need to get a hex dump of what was successfully verified. I've spent many an hour now removing a little white space here, a little white space there with no verified signature. (using a signature block in a detached file) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
checking signature of pgp mime
Greetings, So as I said before, I'm working on a pgp base web mail app: https://github.com/timprepscius/mv I am having problems validating the signature of a small percentage of test cases. However GPG with apple-mail says the signatures checkout, soo... I'm obviously doing something incorrectly. Is there developer of gpg-apple-mail who could let me know, given a specific example, what the actual block is which has been signed (including whitespace/line endings/etc). (I think if I could solve one problematic example, it would enable me to solve the others.) An example problematic email is this: http://pastebin.com/raw.php?i=1zm9sdcE This is the derived block: (I send this into openpgpjs) http://pastebin.com/raw.php?i=XThs22KR -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
building a pgp mime test suite
Greetings, So, I'm slowly building a test suite of pgp mime for: https://github.com/timprepscius/mv If you'd like to help out, please send a mail (encrypted/signed/signed+encrypted/html/just-text/attachment/etc,etc/whatever-you-would-like) to: g...@pmx.mooo.com g's public key is: http://pastebin.com/raw.php?i=rW3qmbnE If you'd like your mail to be put in a public set of mails+known-pgp-public-keys, (for other people besides me to test pgp-mime), please indicate in the body of your mail, else I will test with it only privately. If you have any problems sending mail to g, let me know, I'm using postfix with the default configuration, perhaps it needs to be tweaked. I would appreciate any help. Thanks, -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg debugging of signed mimes
Hello, I'm working on a pgp based webmail. https://github.com/timprepscius/mv Yes, I know, javascript injection. Is there any way I can have gpg apple mail display exactly the part of the mime that was checked for a signature? I'm signing things incorrectly, but I think it is a white space issue... Not sure. It would be helpful if I could see what gpg/apple-mail thinks I signed. (or if anyone has any other hints as to a better way to debug this (besides reading the RFC which I have) ) -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
test suite of pgp mime messages
Is there a test suite of pgp mime messages somewhere in the source code? -tim ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
