advertisement

Weblog:   The Fuss About Gmail and Privacy: Nine Reasons Why It's Bogus
Subject:   Browser-side Javascript public key encyption
Date:   2004-04-16 18:34:28
From:   nzheretic
It is possible to use browser side javascript to encrypt and decrypt content, including the use of RSA public key encyption. See RSA Algorithm Javascript Page.
( For efficiency, public key encyption methords generaly decodes a randomly generated key for the single key encyption which encypts the plaintext )


It should be possible to use public key encryption with inspected outgoing and incoming email gateways to ensure email content privacy.


Client side Javascript is used to generate the public and private keys. Single key encryption using a "privacy password" is used to encrypt the private key to store it server side.


-Incoming SMTP Email
| Incoming Gateway encrypts plaintext email with user's public key
- Encrypted Email
| Gmail Web based email server
- Encrypted Email
| User's Web Brower fetches the private key from the server
| User enters "privacy password"
| browser javascript decypts the private key.
| browser javascript uses private key to decode and display encrypted Email
- Decrypted Email only at user browser side
| User Reads and enters reply into text window
| More Javascript encrypts outgoing content using outgoing gateway's public key
- Encrypted Email
| Outgoing Email gateway decrypts outgoing Email
- Decrypted Email


As long as the Incoming and Outgoing email servers remain seperate,subject to inspection and undergo regular auditing, then the email stored on Gmail will remain unreadable to Google.


Users should be able choose a default encyption policy and mark individual messages as private or public.


Mail between Gmail individual users could actually be more secure than outside email, as the sender could encypt the message directly using the recipients public key.
Full Threads Oldest First

Showing messages 1 through 5 of 5.

  • Browser-side Javascript public key encyption
    2004-04-17 11:49:10  michaelnewton2 [Reply | View]

    It should be possible to use public key encryption...the email stored on Gmail will remain unreadable to Google




    It should be possible to use another email provider if you don't want to use Gmail. The email will remain unreadable to Google.
    • If it is successful. could you avoid replying to Gmail users?
      2004-04-17 14:57:31  nzheretic [Reply | View]

      At work around 20% of legitmate non-spam emails , mostly inquiries, are from Hotmail or other webmail services. If Gmail is going to as successful as Hotmail, it's going to become more difficult to avoid replying to legitmate emails from it's users.

      Google could also use a number of mechanisims to get email recipiants to connect to the Gmail service though the browser, including keeping email attachments server side inserting an URI in the email. Hotmail, or any other web email provides could do the same, even using the spammer trick of webbug images emmbedded in the HTML'ed email. Significant profilable information can be gathered from the email headers alone.

      There is a potential network effect on the erosion of privacy, made more prominent with users moving to a few very large service providers.

      Privacy advocates have a legitmate concern over the issues surrounding the profiling and privacy of email. While Google remains under its current management, I am personally less concerned. However just as in January 1998 Hotmail was purchased by another company, Microsoft, Google could be sold to another company with even less moral scruples.
      • If it is successful. could you avoid replying to Gmail users?
        2004-11-14 15:36:38  Arosee [Reply | View]

        And, as Tim's article makes clear, the NSA already "owns" it all (when they choose to), and Google's wonderful technology hands them quite a powerful tool. If, perchance, the government chooses to abuse it, we will be quite at their mercy. (And no, I'm not a leftist. Far as I'm concerned, they own the government already - even the Great Communicator could not root them all out - and all their whining about sinister right-wingers is a self-serving smoke screen ;-).
  • Browser-side Javascript public key encyption
    2004-04-17 10:39:04  brianwolfe [Reply | View]

    Interesting concept. However what about users of webtv, or text based browsers that don't run javascript?
    • You might as well ask how do people without browsers access the web?
      2004-04-17 15:02:48  nzheretic [Reply | View]

      If you log in to such a system using a non javascript browser you could have two options.
      1) Read and write only plaintext emails; OR
      2) Trust Google with your "privacy password" and access to your private key to decode the content serverside, with defeats the point of the whole exercise.
Showing messages 1 through 5 of 5.