Using PGP to Secure Web Applications-Part I
While products such as PGP Universal and PGP Desktop have done a successful job of protecting email and storage, securing the data presented in web application have largely been unaddressed. Users of web mail (Gmail), forums, blogs and group calendering (google calender) currently have no reasonable way to insure the privacy of their information, in that it often resides on the web server. This pair of blogs discusses the various options for using PGP technology to extend the web client with the goal of securing web data with and without the consent of the web site operator.
Securing Web Data...An Undiscovered Country
Client Side Extentions
Modern web browsers such as Firefox, Safari and IE have the ability to be extended by user added plugins. For example, media such as Adobe Flash and Apple Quicktime are handled by plugins. One of the more common plugin architectures is the NPAPI (or Netscape Plugin Application Programming Interface). Some browsers such as Safari also have additional plugin architectures such as WebKit. When a plugin is installed it notifies the browser that it can handle a certain content type. When the browser encounters this content type, it streams the content to the plugin with the intent of rendering it. For example, the following HTML specifies that the data that follows it should be handled by a PGP plugin.
<embed name="pgpplugin" id="pgpplugin" type="application/x-pgpplugin" HIDDEN=TRUE>
function encrypt(emailAddress, cleartext)
var pgp = document.getElementById('pgpplugin');
var result = pgp.encrypt(emailAddress, cleartext);
That's it for today. Next time we'll take up the challenge of decrypting data without the key necessarily being present.