Hello! Many social platforms have web-interface. For example Diaspora* is a quite nice and free software friendly project and it is based on web technologies.
Web proves that it is convenient technology, but it lacks one major point - it doesn't have support for end-to-end encryption. Even in such a friendly thing as Diaspora there is no way to keep a conversations private from pod admins, and I see no simple way to implement it. Of course, we can use javascript to implement a browser side encryption. But javascript programs are not trustworthy enough, because they are loaded from a website on its load and could be changed easily by a 3rd party (e.g. node admin) and it is hard to control whether they weren't tampered. Encryption is too sensitive for javascript. So we need the software to be received from trusted source. Just like we receive browser from the repositories of our GNU/Linux system, which are trusted and have some ways to prove the software was not modified. We could use browser extensions to implement end-to-end encryption, but they hardly can be convenient, because they will always lack some important information, for example information on your recipient, that could be received only with the help of the website. This information is required to implement such useful things as automatic key selection for the recipient. So the problem of end-to-end encryption in web-based software requires that browser interacts with the website receiving required information, but all the software that does the encryption loads from the computer of user, not from the Internet at web site load time. All that led me to the idea, that implementation of end-to-end encryption in web technologies should be a part of web standard, so the rules of interactions between website and browser encryption module is defined strictly. For example, it could be defined as special kind of forms, that is filled by user with unencrypted text, but when you submit the form, browser really sends it PGP encrypted using key, that is determined by the context (you are in a web chat with certain recipients). This also can help in providing some extra security for this text blocks, because browser could isolate unencrypted text from any javascript, that may want to read it. So, here is my question to you, as a social networking project members. Have you ever though of necessity of realizing end-to-end encryption as part of web standard? Do you think it is possible to push? Maybe it is nevertheless possible to implement end-to-end encryption with some javascript using some extra security and isolation measures? Or maybe you have some other ideas how to implement it, that I didn't think of?
