Hi,
I have what may perhaps seem like a strange question.
Is there any commonly used software for encrypting and
decrypting web pages?
Let me explain that a little better: imagine a web
site which has content destined for specific
individuals. For each individual there is separate
content on
Martin Fick wrote on 15.12.2007 11:08:
> Hi,
>
> I have what may perhaps seem like a strange question.
> Is there any commonly used software for encrypting and
> decrypting web pages?
>
> Let me explain that a little better: imagine a web
> site which has content destined for specific
> indiv
On Sat, Dec 15, 2007 at 11:12:46PM +0600, Vlad SATtva Miller wrote:
:Considering the amount of bugs and weaknesses found regularly (and not
:found) in common browser software (open source or not), it's not a
:well-advised practice to trust a browser handling of sensitive private keys.
While I agr
I have what may perhaps seem like a strange question.
Is there any commonly used software for encrypting and
decrypting web pages?
Yes, SSL .. and it's been around for quite a while.
Let me explain that a little better: imagine a web
site which has content destined for specific
individ
--- Michael Holstein <[EMAIL PROTECTED]>
wrote:
>
> > I have what may perhaps seem like a strange
> > question. Is there any commonly used software for
> > encrypting and decrypting web pages?
> >
>
> > Let me explain that a little better:
> > imagine a web
> > site which has content dest
--- "Jonathan D. Proulx" <[EMAIL PROTECTED]> wrote:
> On Sat, Dec 15, 2007 at 11:12:46PM +0600, Vlad
> SATtva Miller wrote:
...
> What about just HTTPS with user certificates? you
> get both proof of identity and a means of
> encrypting data to that identity, yes?
Is there a mechanism to use HT
Despite my bias, an embedded java app
would not work since it would be
controlled (provided) by the hostile
server right?
You could sign the applet with a key provided to your clients, since
you're using a distribution model where you have known end-users (as you
need their keys to encr
Is there a mechanism to use HTTPS to
preencrypt web pages so that they
are encrypted on the server (and so the
server does not have the keys to decrypt
them!)
Not using HTTPS per-se, but you can use SSL to encrypt files.
My initial constraints are that once the data
is put on the server
On Mon, Dec 17, 2007 at 08:52:30AM -0800, Martin Fick wrote:
:> I may be missing something about the
:> implications of HTTPS, but you could
:> certainly key pgp public keys to x.509
:> identities if you wanted to keep static
:> data gpg encrypted on the server.
:
:I'm not sure that I understan
--- Michael Holstein <[EMAIL PROTECTED]>
wrote:
>
> > Despite my bias, an embedded java app
> > would not work since it would be
> > controlled (provided) by the hostile
> > server right?
>
> You could sign the applet with a key
> provided to your clients, since you're
> using a distribution
On Mon, Dec 17, 2007 at 09:25:13AM -0800, Martin Fick wrote:
:> It's an interesting threat model though :)
:
:Yes, but it really is a fairly simple one.
:I am surprised that HTML does not seem
:to have some extension to deal with this
:already. It is not much different from
:encrypted email conc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin Fick wrote:
> Yes, but it really is a fairly simple one. I am surprised that HTML
> does not seem to have some extension to deal with this already. It
> is not much different from encrypted email concepts, just that the
> browser needs the abi
It is now clear to me that I have been
unclear about the requirements. Let
me try to be more explicit.
1) I am looking for a "point2point",
"sender 2 receiver", secure encrypted
web page mechanism.
2) Senders are untrusted to recipients.
3) Web server is untrusted to recipients.
4) Send
--- Michael Holstein <[EMAIL PROTECTED]>
wrote:
>
> > Is there a mechanism to use HTTPS to
> > preencrypt web pages so that they
> > are encrypted on the server (and so the
> > server does not have the keys to decrypt
> > them!)
>
> Not using HTTPS per-se, but you can use SSL to
> encrypt f
Michael Holstein wrote on 17.12.2007 23:01:
> I'm not a mathematician, but it can't be wise to store multiple copies
> of the same plaintext encrypted by the same cipher using different keys
> .. much crypto has historically been broken that way.
As a side note: In the context of OpenPGP you have
Martin Fick wrote on 17.12.2007 23:25:
> I am surprised that HTML does not seem
> to have some extension to deal with this
> already. It is not much different from
> encrypted email concepts, just that the
> browser needs the ability to do the
> decrypting instead of your mail program.
> The s
--- "Vlad \"SATtva\" Miller" <[EMAIL PROTECTED]> wrote:
> Have you looked at FireGPG Firefox extension?
> http://firegpg.tuxfamily.org/
--- "Alexander W. Janssen"
<[EMAIL PROTECTED]> wrote:
> Why not simply use the Firegpg-extension for
> Firefox?
I had not seen this, thank you, this would
cer
--- "Jonathan D. Proulx" <[EMAIL PROTECTED]> wrote:
> On Mon, Dec 17, 2007 at 09:25:13AM -0800, Martin
> Fick wrote:
>
> :> It's an interesting threat model though :)
> :
> :Yes, but it really is a fairly simple one.
> :I am surprised that HTML does not seem
> :to have some extension to deal with
--- Martin Fick <[EMAIL PROTECTED]> wrote:
> --- Michael Holstein <[EMAIL PROTECTED]>
> wrote:
> >
> > My thought on Java was to be able to
> > automate the key scheme within the
> > browser, versus requiring them download
> > a .gz.gpg file and decrypt it on their
> > own. A (sort-of) working
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Michael Holstein wrote:
(snip)
> I'm not a mathematician, but it can't be wise to store multiple copies
> of the same plaintext encrypted by the same cipher using different keys
> .. much crypto has historically been broken that way.
(snip)
Historic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The threat model we're talking about is hostile-server, in addition to
our "old friend" man-in-the-middle, right?
(Just trying to get my brain straight...)
- --
F. Fox: A+, Network+, Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejourna
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin Fick wrote:
(snipped a litany of requirements, all of which talking about one-to-one
communications)
To me, it seems that it'd be better to try to modify something
SMTP/POP-like for this, than to modify HTTP for it. It sounds just like
what a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin Fick wrote:
> --- "Jonathan D. Proulx" <[EMAIL PROTECTED]> wrote:
>
>> On Mon, Dec 17, 2007 at 09:25:13AM -0800, Martin
>> Fick wrote:
(snip)
>> HTTP is a publishing mechanisim in which you
>> usually want people to see it, or restrict
>> v
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Martin Fick wrote:
(snip)
>
> Well, I think that is exactly what you will get
> if you use pgp or gpg to send an encrypted email
> to multiple recipients.
>
(snip)
IIRC, a GPG message in encrypted only once - even if there's multiple
recipients
--- "F. Fox" <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Martin Fick wrote:
> (snipped a litany of requirements, all of which
> talking about one-to-one
> communications)
>
> To me, it seems that it'd be better to try to
> modify something SMTP/POP-like for
--- "F. Fox" <[EMAIL PROTECTED]> wrote:
> The threat model we're talking about is
> hostile-server, in addition to
> our "old friend" man-in-the-middle, right?
Sure,
-Martin
Never miss a thing. Make Ya
Martin Fick wrote on 18.12.2007 01:05:
> --- "Vlad \"SATtva\" Miller" <[EMAIL PROTECTED]> wrote:
>
>> Have you looked at FireGPG Firefox extension?
>> http://firegpg.tuxfamily.org/
>
> --- "Alexander W. Janssen"
> <[EMAIL PROTECTED]> wrote:
>
>> Why not simply use the Firegpg-extension for
>> Fi
--- "Vlad \"SATtva\" Miller" <[EMAIL PROTECTED]> wrote:
> Martin Fick wrote on 18.12.2007 01:05:
> > --- "Vlad \"SATtva\" Miller" <[EMAIL PROTECTED]>
> wrote:
> What if on sudden he becomes aware of one of the
> recipient key's compromise? Now
> sender needs to decrypt the whole site and
> re-enc
28 matches
Mail list logo
