from Hacker News

Contact form encrypts message with PGP before sending

by joushx on 9/15/13, 12:18 PM with 34 comments

  • by fooyc on 9/15/13, 1:09 PM

    Is there any benefit of doing this on the client side?

    The message is sent through HTTPS anyway.

    If HTTPS was compromised, the javascript code signing the message, and the signing key, and everything related to handling the clear text message would be compromised too anyway.

    This is redundant with HTTPS, but also useless if HTTPS is MITM.

  • by y0ghur7_xxx on 9/15/13, 1:29 PM

    The page loads jquery from google cdn, so at least google could inject js in the page and read the message before it gets encrypted.

    I know, for a contact form this is very unlikely, but just from a security point of view, if I would write something like this, I would host js loaded by the page on my own server.

  • by JosephRedfern on 9/15/13, 12:43 PM

    It must be suck to be Johannes right now... I wonder how many emails containing random gibberish he is receiving?

  • by eli on 9/15/13, 2:43 PM

    This idea (encryption in javascript in a regular web browser) comes up very often on HN. It's not a good idea. Since I have no way to trust/verify that the encryption code itself has not been tampered with (beyond HTTPS) then it is only secure as HTTPS.

    You've added a fair bit of complexity for no specific benefit; likely a net loss in terms of security.

  • by mfwoods on 9/15/13, 1:10 PM

    I'm not sure what this adds over applying PGP on the server?

    The way to intercept the message with the server doing PGP would be to either MITM the connection or breach into the server to intercept before encryption.

    In both cases you could just as well modify the javascript served to the browser to defeat the PGP done in the browser as well.

  • by cheyne on 9/15/13, 4:51 PM

    Nice.. You can also do in browser client and sever side encryption now with https://www.noteshred.com

    See https://www.noteshred.com/client-side-encryption

  • by sambeau on 9/15/13, 1:21 PM

    I'd never seen SocialSharePrivacy either (It's linked in the page code), but it's an interesting idea:

    http://panzi.github.io/SocialSharePrivacy/

  • by aluhut on 9/15/13, 2:21 PM

    I love the usability of this.

    I hope the issue of usability gets more attention in future security tool development.

  • by st00pid on 9/15/13, 2:27 PM

    google cannot translate his form. Why not? If I can see it, so can google.

  • by mschuster91 on 9/15/13, 12:26 PM

    Nice, but how did you port openpgp to Javascript?

  • by rorrr2 on 9/15/13, 12:54 PM

    And where's the key stored on the client and how is it shared with the server?

    I'm too lazy to parse their JS code.