On 12/11/14 03:13, senya wrote: > Hello! > > So we need the software to be received from trusted source. Just like we > receive browser from the repositories of our GNU/Linux system, which are > trusted and have some ways to prove the software was not modified.
Indeed. > We could use browser extensions to implement end-to-end encryption, but > they hardly can be convenient, because they will always lack some > important information, for example information on your recipient, that > could be received only with the help of the website. This information is > required to implement such useful things as automatic key selection for > the recipient. Indeed. > So the problem of end-to-end encryption in web-based software requires > that browser interacts with the website receiving required information, > but all the software that does the encryption loads from the computer of > user, not from the Internet at web site load time. Indeed. > All that led me to the idea, that implementation of end-to-end > encryption in web technologies should be a part of web standard, so the > rules of interactions between website and browser encryption module is > defined strictly. For example, it could be defined as special kind of > forms, that is filled by user with unencrypted text, but when you submit > the form, browser really sends it PGP encrypted using key, that is > determined by the context (you are in a web chat with certain > recipients). This also can help in providing some extra security for > this text blocks, because browser could isolate unencrypted text from > any javascript, that may want to read it. That's what I've designed and prototyped, except for PGP and Javascript :-) I avoid all the accumulated cruft of those programs and implement it on top of TLS and private CAs, one for each website. > So, here is my question to you, as a social networking project members. > Have you ever though of necessity of realizing end-to-end encryption as > part of web standard? Do you think it is possible to push? Maybe it is > nevertheless possible to implement end-to-end encryption with some > javascript using some extra security and isolation measures? Or maybe > you have some other ideas how to implement it, that I didn't think of? Take a look at Eccentric Authentication. Please read: http://eccentric-authentication.org/blog/2012/10/23/a-blog-site.html http://eccentric-authentication.org/blog/2013/06/07/run-it-yourself.html Or read : http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html and: http://eccentric-authentication.org/Usable-Security.pdf With regards, Guido Witmond. eccentric-authentication.org
signature.asc
Description: OpenPGP digital signature
