
OpenPGPjs v3.0 - vabmit
https://protonmail.com/blog/openpgpjs-3-release/
======
vabmit
In case anyone that doesn't follow the development of the library closely
missed it, the main improvement in this version is the introduction of ECC
support. ECC tends to be able to provide equivalent levels of security as
traditional "big prime" cryptography (like RSA) with less computationally
intensive operations. This is especially important in a library like OpenPGPjs
that is primarily meant for in browser based web usage because it should make
things, like sending and receiving mail, faster when ECC is used over older
PGP public key encryption systems. For people that use ProtonMail's web based
crypto on mobile or tablet devices, a switch to ECC would result not just in
similar performance improvements but also in lower battery usage.

Currently, ProtonMail uses RSA keys, but this addition of ECC support to their
web encryption library may mean that they are about to start switching users
to ECC keys. Because using "larger" (when compared with equivalent theoretical
strength RSA keys, for example) ECC keys is less resource intensive than using
higher security keys in some other forms of cryptosystems (like RSA) it may
also be an indication that ProtonMail is preparing to upgrade users to higher
security/stronger keys.

Many cryptographers and organizations, including the US Government, have
recommended for a long time that people migrate from older "big prime
cryptography" based cryptosystems to ECC based cryptosystems for increased
security.

~~~
dsacco
_> In case anyone that doesn't follow the development of the library closely
missed it, the main improvement in this version is the introduction of ECC
support._

Wow...I'm sort of shocked that wasn't a v1.0 consideration.

 _> ECC tends to be able to provide equivalent levels of security as
traditional "big prime" cryptography (like RSA) with less computationally
intensive operations. This is especially important in a library like OpenPGPjs
that is primarily meant for in browser based web usage because it should make
things, like sending and receiving mail, faster when ECC is used over older
PGP public key encryption systems. For people that use ProtonMail's web based
crypto on mobile or tablet devices, a switch to ECC would result not just in
similar performance improvements but also in lower battery usage._

In particular, elliptic curves have smaller parameters, which allow for
smaller keys at the same bit security level. For example, to achieve 128-bit
security, an RSA/DLP modulus must be 3072 bits. Elliptic curves achieve the
same security level with only 256-bit parameters. They are also faster for
most operations, but RSA is still technically faster for signature
verification.

 _> Many cryptographers and organizations, including the US Government, have
recommended for a long time that people migrate from older "big prime
cryptography" based cryptosystems to ECC based cryptosystems for increased
security._

True, but elliptic curve cryptography is just as vulnerable to quantum
computers, however long off that problem may be.

~~~
zahllos
> Wow...I'm sort of shocked that wasn't a v1.0 consideration.

Given that you need to pass --expert to gpg 2.1 as of right now to even
generate an ECC keypair for PGP use (nor use one on an OpenPGP smartcard or
yubikey), I can sort of forgive the lack of ECC in 1.0. I don't think it sees
wide usage for PGP keys (some clients don't support it, also).

However, as of the last time I tried Protonmail (about 10 minutes ago to check
this is all still true) you can't: revoke/reissue your PGP key, validate
outside signatures (either on encrypted messages or signed, plaintext
messages) or send pure-PGP mail to users outside of protonmail (there's an
encrypt for non-protonmail users option, that sends a link instead).
Essentially as another commenter has said, you can't really do PGP with
ProtonMail.

~~~
jlgaddis
I don't use ProtoMail but it sounds like _they_ are "managing" users' private
keys!? Am I understanding this correctly? ProtonMail has access to their
users' private keys? And they are using web-based encryption, delivered via
JavaScript?

And people _trust_ them!?

------
dfabulich
What is the threat model for PGP in JS? Like, is there an Alice, Bob, Carol,
Eve story under which PGP in JS makes sense?

The canonical example that IMO doesn't make sense is when Alice and Bob want
to communicate privately using Eve as an webmail provider who wants to snoop
in on the communications. Alice and Bob can't just trust Eve to provide a copy
of OpenPGPjs in a <script> tag on EveMail.com, because then they're trusting
Eve to provide a legitimate PGP implementation, trusting Eve not to log their
keystrokes in JS, etc.

I can understand OpenPGPjs as a server-side library in Node (though I suspect
it would be safer to run a battle-hardened library like GPG with node FFI).

But, in client-side web code, how could this ever make sense?

~~~
dane-pgp
One user story is that Alice uses Eve's webmail, and Bob uses PGP and mutt on
his laptop. Before Eve's webmail supported PGP in JS, Bob had to send his
emails to Alice unencrypted (and unsigned), which meant his mail provider
could read the plaintext (even if he trusted that mail provider to always
require a TLS connection when sending to Eve's servers).

From Alice's point of view, she is just using webmail as she always has,
except now she has the assurance that no one (other than Eve) can spoof Bob's
identity, and that Bob's mail server isn't reading the messages she sends him
(unless Eve is deliberately leaking the plaintext somehow despite sending Bob
the encrypted version).

Long term it would be nice if the W3C's SRI standard was extended to allow
offline signing of JavaScript files:

[https://github.com/w3c/webappsec/issues/449](https://github.com/w3c/webappsec/issues/449)

and for browsers to prompt you whether you wanted to run a new (offline
signed, maybe independently audited) version of those files.

~~~
emj
> [Alice knows] no one (other than Eve) can spoof Bob's identity

If Carol or Chuck can spoof Eves "identity" they can spoof Bobs identity. This
can be done in a multitude of technical or social ways.

Is it better to have this than nothing? The problem is that you have to trust
your whole infrastructure if you want to do this kind of client side
encrypting.

~~~
dane-pgp
If your threat model says that Eve's webmail servers can be spoofed, then
Alice can't use webmail at all, or possibly any websites. At that point, the
security of PGP in JS is pretty much irrelevant.

~~~
emj
I think that is one of the most obvious things that can happen, but no it only
affects JS PGP that is integrated on a site you use. PGP in JS is still
relevant because it makes it easier to download, verify and execute Javascript
"anywhere", not as an integrated solution served by a third party. Sadly.

------
WhatIsDukkha
I wish something like this would take off -

[https://github.com/kylehuff/webpg-chrome](https://github.com/kylehuff/webpg-
chrome)

We deserve a better userspace from our browsers. The excuse that "users" don't
want this because its "hard" is circular.

~~~
theli0nheart
The project looks really cool! But...the fact that the website has a
certificate error doesn't inspire much confidence. Especially since it's a
security tool. :(

~~~
bartbutler
What certificate error? Neither [https://openpgpjs.org](https://openpgpjs.org)
nor the link here have a certificate error for me. Maybe you are being
MITMed...

~~~
jolmg
I'm also getting it. The certificate for
[https://webpg.org/](https://webpg.org/) expired October 29, 2017.

~~~
bartbutler
Aha, I misunderstood the original comment.

------
sphix0r
Great to see protonmail working on this.

It's shocking how much sensitive data is sent by mail (contracts, passwords,
lawyers, etc..) without pgp signing / encryption on a daily basis.

------
woranl
Why not use webcrypto instead?

~~~
Shoothe
They are probably using it underneath. Webcrypto by itself is just a set of
primitives, you need a higher level abstractions to do anything useful in real
world.

------
xs
I don't get it. Protonmail still doesn't support PGP, yet they're working on
open source libraries for other people to implement PGP? I don't understand
these priorities.

~~~
protonmail
The library is the prerequisite for proper PGP support in ProtonMail, so it
obviously needs to be built first.

~~~
pzduniak
You mean the library that you've been using from the beginning of the proper
web client? This is not an answer. Kudos for finally doing ECC though.

~~~
bartbutler
For internal use we had all RSA keys so it was fine. For external use we have
to support what everyone uses, and there is a variety as you know. Saying
"hey, you can use PGP but all your friends have to have RSA keys" is not a
recipe for a good user experience.

~~~
e12e
This is great to hear! If/when protonmail transitions to be mail host that
support open standards in a wider sense, I'd more seriously consider becoming
a customer :-)

Fwiw, while I'm not that interested in the current project - I actually think
it's great to build a walled garden on open standards - especially for secure
services. Makes it easier to evaluate, and opens the door fore secure interop
in the future.

