[tptacek]

This appears to be a PHP wrapper around OpenPGP.js. If the encryption comes from Javascript loaded by browsers from the servers every time they visit the site, the encryption isn't "end to end". It's controlled by the server and can be broken by the server.

Also: the RSA Security logo isn't the logo of the RSA algorithm; it's the logo of the company that sells RSA tokens.

[pdx]

I knew this is the first thing I would read. We are becoming pretty predictable.

I tire of hearing this repetitively, every time somebody attempts to take this path, but I recognize you are doing it for anybody that is new and didn't hear the other warnings.

Isn't the perfect the enemy of the good?

Can we recognize that this is a good first step, and definitely constitutes a huge improvement over gmail/yahoo type webmail solutions?

You can still quickly add a disclaimer that you hope they quickly begin the large task of development of native windows/mac/linux/ios/android apps that will remove the javascript concern.

If you spit on everything that is not perfect, you may be steering people away from taking any action to protect their privacy.

[acabal]

Not in this case, I don't think. If there's a way to break encryption, even in the smallest way, then it's not really encrypted, and calling it "good enough" does a disservice to people who actually expect it to be flawless.

Look at Lavabit, which was good but not perfect... everyone thought they were protected enough, and then the government came knocking and all of a sudden the little gotcha of "Well, Lavabit did have access to your data after all, even though they promised not to look and also be really careful about their encryption keys" is the crack they use to blow the entire thing open. (Though that was a pretty damn big crack, admittedly.)

If there's a way to break in, then it will be broken in to--and then "good enough" all of a sudden becomes "tragically and dangerously broken" for the kinds of people who trusted it the most: activists, whistleblowers, informants, political radicals, etc.

[pdx]

That's fair, and I do not want him to stop warning us. I recognize his expertise.

I just feel that these sorts of criticisms, that are not sandwiched with at least a little positive message, are keeping people paralyzed in gmail and yahoo and msn while they wait for perfection.

[tptacek]

What positive message are you looking for here? Are you just glad people are trying to protect people, even if they're failing?

[read]

tptacek, can you suggest a design for end-to-end email encryption delivered through a browser?

As theboss mentioned [1], is:

(a) browser crypto theoretically impossible, is it

(b) that something's practically from browsers today (like build-in crypto code) for a practical solution, or is it

(c) that existing attempts have not attempted to do something that is theoretically possible?

If I understood you correctly, you alluded verification might be possible [2] but it seems there isn't yet a clear description or understanding of what's possible and what's not.

[1] https://news.ycombinator.com/item?id=7757892

[2] https://news.ycombinator.com/item?id=7757678

[tptacek]

Verification isn't possible in modern browsers. This is an inherently hard problem, one that has caused some people who've launched carefully-designed encrypted mail systems to abandon the effort.

[tptacek]

I don't know about the "perfect" and the "good", but the "trivially breakable" is definitely the enemy of "keeping secrets from governments".

[pdx]

You choose to ignore my point. Obviously you know about "perfect" and "better than gmail", right?

[tptacek]

Then Gmail is more secure than this service, because Google's servers are pinned in browsers, so you can't compromise them by compromising any CA in the CA hierarchy.

[fareastcoast]

I don't really agree with this. Gmail is compromised by the NSA sending one email to Google.

[prayag]

I hear you dude but this is clearly not "end-to-end" encryption. End-to-end has a very specific meaning. End-to-end encryption means a messaging system in which one or more compromised node from node 1 to N-1 could not eavesdrop on the message. In this solution if you get access to node 1 (the server), you get access to the message. It's binary. There's either end-to-end encryption or there isn't. This one isn't.

[kingzero]

> Can we recognize that this is a good first step, and definitely constitutes a huge improvement over gmail/yahoo type webmail solutions?

No its not. "Browser crypto" in the form of JS is broken. There are many different possible attacks. So a false sense of security is actually worse then no security at all.

[afreak]

If you're concerned about keep things private, having it technically sound is important. This application fails that and as a result deserves to be shot down.

There is no need for niceties when you're trying to promote something as secure when it isn't.

[stonogo]

> Isn't the perfect the enemy of the good?

Yes, but neither of those descriptors apply to this product.

[john_b]

One can worry about making a system perfect once it solves the problem it sets out to solve. They chose to build on a platform (browsers) that has known security issues at a conceptual level, and have apparently ignored those issues while advertising an end-to-end secure service. That doesn't inspire trust. Perfect comes after working.

[sp332]

tptacek doesn't seem to be "spitting". He just pointed out that the crypto can be broken by the server so this doesn't count as end-to-end crypto.

[waltherg]

But but ... MIT, Caltech, Switzerland, CERN ... amirite?

No honestly, thank you for your comment and the ensuing discussion - most people get swayed by big names and such and reading sincere criticism of this sort of stuff is important and educating.

[duongkai]

When I see the RSA logo, I must reconsider using this service.

[fareastcoast]

The JS doesn't appear to be compressed so it's possible to view source and see what exactly it's doing. So if it was actually backdoored, somebody will actually find out.

[tptacek]

You can't just review "openpgp.min.js". You have to review every single Javascript input and every single DOM node, and any of them can alter the behavior of any other element of the Javascript runtime in subtle ways to subvert cryptography.

And you have to do this every time you load any page on the site, and any time any of those pages asynchronously load any content.

So, no, contrary to popular belief, this doesn't work.

[theboss]

Why can't browsers just build crypto primitives in that can be called from js?

I don't understand what people's obsession with browser crypto is...but I don't know enough about browser's to think of a reason this solution is bad. Any guidance?

edit: I understand that this won't solve all the problems...but at least the problem that you are constantly being served this chunk of potentially unsafe code.

edit2: I've been doing some thinking. Even though I didn't really get a response I think the reason is that it doesn't buy you the ability to do anything new safely. You still have the old problems of other dom elements mucking with your dom elements that control the code, or whatever the site does...so it doesn't really buy you anything...it's just work for nothing.

I still think it would be a useful start to one day having safe browser crypto

[IgorPartola]

Since you insist on a longer explanation, here goes:

You can have crypto primitives in the browser: AES, RSA, ECDSA, etc. So given a private key and cyphertext you can decrypt it and given a public key and a piece of cyphertext you can encrypt it. The actual crypto code is just a callout to libssl. In this regard, you can do this right now: simply wrap libssl from within Chrome's JS engine and you are done.

Now what? What can you actually do with this stuff? Well, you could create an email client: one that downloads a message over XHR and decrypts it. That's great, except the code to run this app is unsigned and downloaded from a remote server! I can pwn the server, add my own code that will backdoor the app and send me your private key as soon as it's in memory.

"BUT!" you say. "I can sign the code!". I say to that, how will you verify that signature? By downloading the piece of code from a remote server? I'll just pwn the server and add my own code to accept my signatures, then add the code to send me your private key.

"BUT!" you say. "I can have the signature verification code built into the browser. Look ma, no remote code download that's not signed!" I say to that, how do you know that the developer was not forced by the NSA or another powerful adversary to give up their private key or just coerced into created a backdoored package to own you specifically? You don't. You didn't grab the source and compile it. Instead, you downloaded and ran a code blob.

The solution to all of this already exists and it does not involve the web. It's called package management. Your distro already does this: multiple people review the source code that goes into every package and every step of the way is cryptographically signed. The binaries are built on trusted machines and distributed with yet more signatures. There is peer review through and through.

Compare this to a closed-source web application you are trying to secure. In this case the best you can do is say "if you trust me (the developer), and you trust that I know what I'm doing so my servers don't get pwn'ed, and you trust that I have not been coerced by the NSA/other gov't agency, then you can trust this code".

Except, you don't need client-side crypto for that. You already have HTTPS which provides the same guarantee without re-inventing a square wheel. QED.

[read]

You conflated two things.

Yes, having full source code is a sufficient condition for security. But you also implied that the hypothetical browser crypto primitives would allow one to do anything they want with the decrypted data, which might be too loose of an assumption.

For example, you could make the browser crypto primitives work so that you can only display unencrypted data (or a private key) but not be allowed to ship them off to servers.

The key idea is that you are still in control of the browser core, and that core has more control over the code shipped by the server. So you can make that core stricter than Javascript.

For example, about the problem of "other dom elements mucking with your dom elements that control the code" you can make the browser disallow this.

If I'm missing something, it's something related to these primitives. Can anyone help figure those out?

What exactly is theoretically impossible about browser crypto?

[IgorPartola]

Sure, if you want to break JS the language. JS doesn't have a concept of "here have a variable with data inside of it but you cannot touch it". Ask yourself: "what does 'display' unencrypted data mean?"You are describing a different system entirely from what an HTML renderer + JavasScript engine can do.

[theboss]

Funny. I typed up my edit2, hit enter, and had a reply from you basically saying the same thing. Also, I never said anything about use-cases, signing code, etc. Only "does this safely get you the primitives", not about what you can do with them. The "you say" in your explanation are not what I said.

[IgorPartola]

Must have crossed paths. Yes, essentially it boils down to the fact that having crypto primitives can be easily done but gives you absolutely nothing in terms of what you can actually do with it. You need a different infrastructure to deliver code/binaries to do that (such as distro packages), and the web, by its definition, is not that.

This has been discussed many a times on here, by tptacek and others. In fact, at one point I had a similar discussion with him on here. It seems like it's something that people have to think through before they see the problem (which speaks to the complexity of the issue here).

[yuhong]

Except that HTTPS does not let you encrypt/decrypt data using your own key for example. I am thinking of things like S/MIME.

[IgorPartola]

Once again, why would you use S/MIME in the browser? It is an insecure environment BY DESIGN. It cannot be made secure. Ever. So stop thinking of S/MIME. Or think through how you would actually secure it. Then realize that it cannot be done.

[rdl]

I agree we need to move toward being able to build secure client apps in the browser. It's clearly "important", in that a lot of people want it, for meaningful and good reasons, and this is likely to continue. It's just not possible today.

Signed extensions are a decent step today (although installing an extension is potentially about as heavy as installing a client app, depending on how locked down your environment is).

CSP and some future extensions can be helpful.

There's server-side stuff which can help, too.

WebCrypto is a useful step.

The problem is it's going to be a long process involving a lot of parts, controlled by different parties. So it's responsible to say "we're going to build a webapp which is as secure as we can make it today; these are the known vulnerabilities". Some users are in a good position to evaluate the risks, others aren't. I care a lot more about things doing what they say they're doing than what in particular they say they're doing. The scary thing is when the people building something don't seem to know the well-known vulnerabilities.

[cynwoody]

The problem with browser crypto is that code is downloaded from the server ... nothing to install, so convenient. Right?

The danger is that you are back to trusting the server. If they are compromised, you could get served special crypto code that uploads your private pass phrase the next time you log in.

The crypto code needs to come from a trusted third party, and the protocol with the server must be dead simple and strictly arms-length, with no logic of any sort downloaded from the server. More like FTP than HTTP/HTML/JS.

[theboss]

There are a ton of other problems associated with crypto code. I'm talking about crypto primitives being provided by the browser. The rest of the problems associated with it, I'm not asking about.

You're echoing the problem that my question is asking if it solves...

Edit: Also, you definitely need more than the code to come from a "trusted third party", otherwise we would see SaaS startups on HN providing "crypto as a service" (god help us).

[IgorPartola]

It is a long story and has been discussed one million times on here at least. Google the answer or just trust that crypto in JS cannot be not because the implementation is hard but because it is not possible in principle.

[theboss]

I'm only talking about solving this 1 problem related to js crypto...

[yuhong]

I wonder if XHTML would make sense here, to make XSS attacks more difficult.

[rdl]

You can serve different JS to "special" users once. If you're smart, you run checks "for the security of the browser environment" first to make sure it's something unlikely to contain debugging capabilities, e.g. an unmodified iOS device.

The site even helpfully asks you to identify yourself with ANOTHER username and passphrase first, making it even safer for the attacker.

[fareastcoast]

An attacker would have to (1) Gain access to the server in Switzerland (without the admins noticing) or (2) Break the SSL and execute a MITM attack.

It seems ProtonMail actively scans the code on the backend for unauthorized changes. It's not 100% secure against a very determined attacker (NSA), but for the citizen that wants more privacy without the hassle of PGP, it's pretty good until we can replace SMTP.

[tptacek]

The same thing is true of a mail server in Switzerland that uses TLS and doesn't use clientside encryption.

[rdl]

Honestly if it is a good usability service based in Switzerland with no special sauce, but well run, I would like it. The only problem I have is that the security asserted doesn't match the reality of a decent threat model.

You can go pretty far with policy and law alone.

[sp332]

Or (0) Be an admin.