Profit is wonderful, even more so if earned through other means than tracking users' Internet activity unknowingly. Most users of the Internet don't know that Google sees them in most corners and much of the data collection remains.
Most users don't know how to defend themselves pro-actively. For example we have the disaster of people being connected with their political views in France[1]. The same (not really, hashed emails) vulnerability was then used by the Swedish Researchgruppen[2], an extremist leftwing organization, to publish who said what under the assertion of anonymity and as a direct followup leftwing journalists are now chasing outed "trolls" with baseball bats and cameras[3] for a TV show(!).
Nedless to say these individuals are being directly targeted and harmed due to what they wrote on the Internet. It's not the fault of Disqus or Gravatar, it's the consequence of uninformed users.
Now imagine the hoards of victims that will emerge in the shadows of a Google database leak. For it will leak, of course it will, it's only a matter of time. If data can get out of North Korea it can get out of Google.
The dangers are not necessarily what Google is doing but what Google enables others to do.
Google closed down their service in China in protest againt what they said was anti democratic; remaining in the US is a hypocrisy, although perfectly aligned with other propaganda.
You are right, this is very much government driven. I agree - we should remove the government. Google can lead the revolution by closing down or switch jurisdiction in protest. Their voice is heard, ours is not.
>> We live under structured societies and under a specific set of rules we call LAW.
We don't, you do. I packed my backpack and moved to the 3rd world at 22 and haven't ever been back because I need chaos. There is practically no law where I am, and that was one of many reasons for abandoning your structured societies.
>> Read Game of Thrones, you might understand that
Amazing insult. "Read a book, you idiot! A really stupid one!" Thanks for the smile. :-)
>> So I suggest you to get out of that imaginary world of yours and live life (I don't say change your ideas), but if you really want to blame someone - BLAME YOURSELF, for voting for the politicians in your country and for not being able to force them into taking your opinion and stop spying on you.
I live in the jungle, life is great here! You should try it. I never voted for any politician. I will never blame myself for something that I didn't create.
>> Noone forced you to use google search or gmail or whatever it is that google has included in their adSense algorythm
Agree, but on the other hand the general public is uninformed about these matters. I consider customer unawareness to be quite a problem in general. How can we fix it? I don't think asking those that you disagree with to change is a good approach.
It's a legitimate complaint that syadmin'ing all these services is a lot of work, but I think that's actually an argument for working to make deployment of services such as MediaGoblin easier. Right now deploying web applications is hard... if we could get things at least to the point of deploying and maintaining systems are "as easy" (note the quotes) as "apt-get install" and "apt-get upgrade" then we'd be in a much better state. But there's a lot of work happening right now towards abstracting deployment; I think if we can turn some of that effort towards generalizing deployment recipies for everyone (not just people running big clusters of servers) we could make big improvement here. Projects like JuJu and OpenShift are probably the right directions, but admittedly I haven't had enough time to spend playing with them.
Definitely! We have a lead graphic designer and nearly 50 programmers. As you can imagine that graphic designer is overstretched. Do you know any graphic designers who are interested in helping make MediaGoblin nicer? Point them our way, we'd love to talk to them! http://mediagoblin.org/pages/join.html
I always wonder how many open source projects actually look like they do because the creators choose, and like those certain styles.
As a designer there is only that much you can do if you don't get support, or get conflicting views from the client (= all the contributors in the project).
I'm glad I found your comment, I just pushed something like what you just described to one of my repos yesterday. Hear me out, I'm not self promoting myself out of context here.
I'm currently working on an OpenPGP integration for the Roundcube webmail project and have so far added functionality from the OpenPGP.js library. The pros of this is of course usability and that no external applications are necessary, the cons are, amongst others, what you just wrote above.
To be able to support briding local GPG binaries and keyrings into graphical browsers without exposing any critical information I threw together an HTTPD which listens on the client's localhost. The concept is already proven to work, now it's a mere matter of implementation. It's based on the PyGPG library which wraps GPG into Python and is compatible with both Windows and *NIX systems as long as they can execute GPG and Python (which they can).
It's still a work in progress but currently supports key generation and key listing in response to HTTP requests. Through cross-origin resource sharing users can specify which domains should be allowed to speak to it in a simple text file separated by line breaks.
I can conclude that what you are requesting is actively being built and partially already exists but still needs to be put to use. Hope you don't view this as shameless advertising, because it's not. I'm only responding because your ideas are spot on what I pushed yesterday.
My plugin does nothing crypto based on the server side, everything is happening locally in the browser through JavaScript and in the future there will be an additional driver for performing crypto opts in GPG binaries as described in my comment above.
I don't mean to be harsh but server sided crypto is far from a good idea. It provices violent regimes, such as America, a technical ground to force hosts into backdooring their server sided crypto. Anything alike must be done on the client for safety and privacy to be ultimately achieved.
Given that practically all (to at least 4 significant digits) of my mail arrives at the mail server un-encrypted,I think there's still some value in encrypting it before the server stores it. I'm setting up some perl scripts to help exim encrypt to my public key any non-encrypted mail before it delivers it into the local mailbox. That's still subvert-able by anybody with enough power to lean on the hosting company, but then all that mail was interceptable in transit anyway - at least I've made sure that stored archives on the hosted server aren't in cleartext.
I'm also considering setting up some scripts for outbound mail - to automatically encrypt any (non-encrypted) mail I send if I've ever received encrypted mail from the recipient. Have the mail server keep a record of email addresses and public keys, and auto encrypt where possible.
(And in regards to in-browser crypto - I'm unsure there are strong enough guarantees of security in javascript to make me entirely comfortable having my private keys and passphrases hanging around in the process space where rogue javascript and/or plugins might be able to scoop them up…)
That's a valid point, but you won't be effectively encrypt incoming email in the layer of a webmail client. You'd be better off incorporating that before the message is even saved to disk - in the mail delivery of your MTA. So once again it wouldn't be PHP (I hope for your sake!).
"(And in regards to in-browser crypto - I'm unsure there are strong enough guarantees of security in javascript to make me entirely comfortable having my private keys and passphrases hanging around in the process space where rogue javascript and/or plugins might be able to scoop them up…)"
Your sarcasm is entirely valid, but you didn't actually look at the project that you are criticizing. The entire point of what I linked in my comment is that nothing critical should be exposed to the JavaScript, just an API that it can interact with to send commands to: such as keygen, verify this message, send cleartext and receive ciphertext in response, etc. You're preaching to a believer here, :-)
Your ~/.gpg/ is -not- accessible to JavaScript. The interface, the GnuPG binary, is. That's the point. Now we can both agree that exposing private keys in such an API is a bad idea.
Oh, and I hadn't intended "sarcasm", apologies if it came off that way - I'd expected to be more likely accused of paranoia... I've actually got PGP and encfs installed and testing on my iPhone & iPad, but I've not managed to convince myself it's "safe" to put real (as opposed to "just created to see if this works") private keys for either of them onto an iOS device, with all the lack of transparency about who's actually "in control" of those devices.
While I'm reasonably sure GPG/encfs on my phone will reduce my exposure to "dragnet style, intercept and archive everything" surveillance, if the NSA are after _me_, I've no doubt that there are people at the NSA who've already worked out how to coerce Apple into pushing a software update to my phone that sniffs around with root access looking for things that look like private keys, and keylogs things that look like passphrases - and ships them all off to Utah.
(And, truth be told, I strongly suspect all my Windows and Mac OS X boxes would fall in exactly the same fashion, and it wouldn't surprise me too much to find the firmware in my bios or USB bridge or ethernet adaptor or hard drive on my linux boxes is equally traitorous and ready to "sell me out"…)
On the incoming email encryption - yeah, that's in the MTA not the webmail software - having said that, I'm basing what I'm doing off this: https://grepular.com/Automatically_Encrypting_all_Incoming_E... at least partly because Perl is my goto hack-shit-together langiage, I could _easily_ imagine a lot of my cow-orkers choosing to do that in php.
And yeah, I hadn't followed your links, and made poor assumptions about your project. I just briefly skimmed through some of them and I've got a question - have you got a way to protect the passphrase from ending up somewhere the browser can see it? (or, if the decryption is "passphraseless" from the browsers point of view, how do you ensure rogue javascript could pass encrypted data in and retrieve cleartext?)
The questions that you raise is of course what I am interested in discussing. I can't think of any way that PGP/GPG protects you against keyloggers or a pre-infected computer. I agree that they are relevant threats but my question is if it's up really to the developers to prevent rogue JavaScript in third party software and user's localhost. The same threats can be applied on all existing cryptosystems, as for with one-time pads where someone could look you over the shoulder - but that itself is not considered to break the underlying strength of the design. Or another example, how does Enigmail for Thunderbird protect you against having code injected and keys stolen? I don't think it does, but Enigmail isn't considered insecure. I think the questions are fair to raise but I see them raised far more often when people confront new ideas in comparasion to established practice, which I truthfully consider is a bit unfair judgement.
One of the factors which can narrow the scope of attackers is to use products like crypto stick, but then again what is preventing a computer from being rootkitted and having it's keys stolen as soon as they are exposed in the system?
Developers can of course only address weaknesses in what they have control over. We can't stop your computer from being infected by neither rootkits nor rogue JavaScript from plugins that you have volontarily installed. My advice would be to be careful and audit everything that may be a threat in order to at least try and minimize the risks. Unfortunately I don't think many users do that but it's not something we as developers can address and prevent.
The dilemma here is the same as with filesharing: if it's accessible it can be copied and transferred. There's no patch against that.
You described in your post an HTTPd process on the local user's machine that will make shell calls to their installed GPG binary. My PHP port merely presents one alternative way of doing that on any system that supports PHP - without the need for the user to install and configure GPG binaries, and without the need for the HTTPd process to have permission to make shell commands.
If you see encryption tools that others have written - and all you can imagine is implementing them in insecure ways, then that's your own issue.
Check the links posted in the comment you replied to, it's not cryptography in JavaScript: it's JavaScript posting to a httpd on user's localhost which bridges GnuPG. It's not for doing cryptography in JavaScript, it's for doing cryptography in GnuPG and passing it through a httpd which the js talks to.
But yes there is JS crypto in the project, as a planned separate optional driver.
My biggest hesitation here is that you're still trusting the server. Which, not coincidentally, has always been one of the biggest objections to JS crypto. That is, if the server is compromised, it can serve malicious JS, and it can just as easily steal any data that's being encrypted server-side.
To me, one of the most important things about PGP is that the plaintext and the encryption process are entirely in your control. (At least to the extent that you control your own computer.) You lose that assurance if you do server-side encryption.
2) you want to encrypt sensitive informations. You send them to (localhost) B
3) you receive encrypted data
4) you use them through server A
Aren't you sending sensitive informations though javascript served by server A? Didn't you just loose the security that you wanted by encrypting on localhost?
"Didn't you just loose the security that you wanted by encrypting on localhost?"
No, the sensitive information isn't being protected from localhost but from server A and anything else on the path between user and message destination. localhost is the user. For clarification: GPG is on user's localhost, not the server.
1. Alice uses a web app served by server A
2. Alice wishes to send an encrypted message through the web app served by server A to Bob
3. Alice writes the message on her client sided browser
4. Alice finishes and clicks "Send"
5. The web app's client sided code, JavaScript, sends the message to Alice's pygpghttpd listening on localhost
6. pygpghttpd responds with the ciphertext to Alice's web browser
7. Alice's web browser replaces the cleartext content with the encrypted content
8. The encrypted content is sent to server A to be routed to Bob
---------------
1. Bob receives encrypted message from Alice on web app served by server 1
2. Web app's client sided JavaScript sends the encrypted message to Bob's pygpghttpd listening on Bob's localhost
I completely agree. We didn't install a cert since there were some doubts around wether we would sign it ourselves or not.
Either what we decide, a self signed cert is better than none, hence this is now fixed. All http traffic is now redirected to https using a 2048 bit self signed certificate :-)
This of course makes the entire path read-only so it's not a way to make some fields writable and others not.