While products such as PGP Universal and PGP Desktop have done a successful job of protecting email and storage, securing the data presented in web application have largely been unaddressed. Users of web mail (Gmail), forums, blogs and group calendering (google calender) currently have no reasonable way to insure the privacy of their information, in that it often resides on the web server. This pair of blogs discusses the various options for using PGP technology to extend the web client with the goal of securing web data with and without the consent of the web site operator.
Securing Web Data...An Undiscovered Country
Web applications are especially popular among mobile computer users. This is partially due to the computing and power limitation of the mobile devices, but also because of the complexity of security and synchronization issues. While MAPI/Notes and IMAP are often used for corporate mail, web mail has also become very popular. Widespread use of Web 2.0 applications such as forums, blogs, and calendering present special challenges. One way to address the problem of securing web application is to extend the web browser functionality on the client side, either through custom javascript that gets loaded when a web page is accessed or through a browser plugin.
Client Side Extentions
Modern web browsers such as Firefox, Safari and IE have the ability to be extended by user added plugins. For example, media such as Adobe Flash and Apple Quicktime are handled by plugins. One of the more common plugin architectures is the NPAPI (or Netscape Plugin Application Programming Interface). Some browsers such as Safari also have additional plugin architectures such as WebKit. When a plugin is installed it notifies the browser that it can handle a certain content type. When the browser encounters this content type, it streams the content to the plugin with the intent of rendering it. For example, the following HTML specifies that the data that follows it should be handled by a PGP plugin.
<embed name="pgpplugin" id="pgpplugin" type="application/x-pgpplugin" HIDDEN=TRUE>
</embed>
While this is useful for displaying embedded text it doesn't really solve our problem. However, one of the side effects of such an extension is to allow us to export some PGP functionality to a JavaScript application. For example the following JavaScript exploits the embedded reference above to make function calls to the pgpplugin.
function encrypt(emailAddress, cleartext)
{
var pgp = document.getElementById('pgpplugin');
var result = pgp.encrypt(emailAddress, cleartext);
return result;
}
When a JavaScript application running on a web browser encounters the encrypt function, it will call into the plugin which in this case calls into the PGPsdk to perform a PGP public key encryption. By using this plugin, the web application developer is able to add PGP functionality entirely by programming in JavaScript. I demonstrated this technique in a previous paper titled "Web Service Login using PGP Public keys"1. While this plugin is useful for web developers it depends on both the availability and installation of both the PGPsdk and the PGPweb plugin on the users machine and the inclusion of JavaScript code by the web developer. Note that while the JavaScript itself would be cross platform, the plugin would be platform specific as is the PGPsdk.
XUL Overlays
Another method to extend the web browser in a cross platform way is to use the the XUL (XML User-interface Language) 2 to build an what is known as an overlay. The overlay is a JavaScript application that can examine and modify the web document being viewed.
Recently we have seen a few examples of overlays used in conjunction with GPG to encrypt and decrypt data in Gmail 3 and Google Calendar 4. What the overlay does is to use JavaScript to examine the web document looking for ascii armored PGP text and send this text to GPG for decryption by copying the data to a temporary file on the user machine and invoking GPG through a command-line interface. This is obviously not the most efficient way to perform this operation. Given that we can create a plugin to communicate with the PGPsdk, it is relatively straight forward to combine these two ideas and produce a plugin overlay combination that uses the functionality of the PGPsdk to decrypt or display verification of any embedded PGP on a web page.
JavaScript Native PGP
Recently I became aware of a OpenPGP encrypt program entirely written in JavaScript 5. While the performance was not outstanding, it was well within acceptable range for most uses. Combining the idea of an overlay and a simple javascript implementation of PGP it would be possible to write a web overlay that required no code to run outside the browser space. Such a system would still require the user to have access to their PGP private key to decrypt.
That's it for today. Next time we'll take up the challenge of decrypting data without the key necessarily being present.