
Show HN: EmailPK – Instant encrypted email - diafygi
https://diafygi.github.io/emailpk/
======
lectrick
This is cool! One suggestion: I currently can't bookmark a URL that just
contains my email with public key in the querystring, because the app
complains that some parameters are missing. So for example
[https://diafygi.github.io/emailpk/?from=<myusername+publicke...](https://diafygi.github.io/emailpk/?from=<myusername+publickey>@gmail.com)
will fail. If this worked, and automatically told the app the "from" address,
that would make it easier to just hit a saved link or bookmark containing that
info so I could get right down to business.

Other than that, a bit of polish and this would be fantastic. One problem
might be running into the maximum URL length allowed by browsers (2083,
limited by IE, if I am correct), if you store the ciphertext on the URL, but I
don't see another way to get around that short of a very clever HTML email
that performs a form post... which may be possible, not sure.

~~~
diafygi
Thanks! Pre-filling the form is a good suggestion. Want to do a pull request?

Also, I try keep the encrypted payload size minimized, but yes, URL limits can
be a problem (as well as line breaks that email clients sometimes insert). You
can always copy and paste the link into the Read Existing text area, though.

~~~
lectrick
I could probably make that work, but my Javascript skills were last used when
JQuery was new, so I may be out of the loop

------
diafygi
Feedback welcome. My email is:
diafygi+3AT5MGn7bCpHsE6T8vDDfd5oAqaRVxV6pmnFg8gSbUAV@gmail.com

------
tomjen3
So close. Make it work with peoples normal email address and host it somewhere
that isn't subject to a NSL and we are golden.

~~~
diafygi
It sort-of does work with people's existing email (since the public key is
just added as an email alias). If you didn't have the public key in the email,
you'd have to have central repo for public keys, which is what this technique
is trying to prevent.

Also, this is an unhosted application, so you can just right click and save-
as. It still works hosted on your local filesystem (which isn't subject to
NSLs).

~~~
tomjen3
Eh what I meant was that I should be able to send a message to any persons
email. Using this app requires that the user has used it first.

~~~
diafygi
Indeed. Unfortunately, that's fundamentally the way public-key crypto works.
If you do try to send a message to an email with no public key, it will prompt
you to send an invite instead.

------
ellisonf9
Nice. Email privacy is very important. I commend you on making something that
protects people's privacy. Good job :)

------
Fastidious
"NOTE: THIS IS A PROOF OF CONCEPT. DO NOT USE FOR REAL SECRETS"

Other than being a proof of concept, what is the real problem on using this
for "real secrets?" Are there plans to take it our of proof of concept to
something usable then? I see your myLock carries the same disclaimer, what is
the point then?

~~~
diafygi
I don't really expect these projects to get used widely. They serve more as
inspiration to show that client-side encryption doesn't have to be cumbersome
for the casual user.

It would be great if webapp developers started baking client-side encryption
into their apps.

~~~
lawnchair_larry
Actually this would not be great. It's kind of an unsolved problem. There is
no way to do it safely.

~~~
diafygi
So we should just give up then?

------
StavrosK
This is a great idea, I hadn't thought of embedding ECC keys in the address
itself. That makes them very easy to share, and backwards-compatible. I think
this has great potential, especially as a mail client plugin, since it's so
easy to use.

------
StavrosK
The only problem I'm having is that it's requesting my passphrase even though
I paste my full email address (with my key embedded). I assume it's for
signing?

It would be very nice if it could let me choose to send it unsigned.

~~~
diafygi
For throwaway/anonymous encryption, check out my other project:

[https://github.com/diafygi/myLock](https://github.com/diafygi/myLock)

~~~
StavrosK
Oh, it's not so much throwaway encryption as much as it is "I don't trust this
webpage and don't want to enter my key in it". However, I'll have a look at
the code for my own peace of mind.

EmailPK looks great, great job! I love it.

EDIT: By the way, I assume you're aware of the fact that your name is Greek
for "escape"?

~~~
diafygi
Please do! The code is meant to be audited, so please file any bug reports.

Also, I do indeed know my username's meaning. Isn't it closer to "slips
through the cracks"?

~~~
StavrosK
Not exactly, it's closer to "escaping" or "eluding" in modern Greek, but it
comes from dia (through) + fygi (flight), so maybe it meant "slips through the
cracks" in ancient Greek. I think it meant "escape" back then too, though.

------
vacuo
In a more polished version, you'd want to make it clear that the passphrase is
not necessarily the password used to log into your email account...

Seems like a really good idea. :)

~~~
diafygi
Good suggestion! Want to do a pull request?

------
ghayes
Awesome proof of concept. Do you have a public directory of people involved to
test this out on? I'm a man with a message and no one to send to.

~~~
diafygi
Thanks! So far it's just me, so maybe you could open an issue requesting
others to test with their addresses?

~~~
StavrosK
How can I generate a private key, though? (EDIT: Never mind, you just type a
passphrase when you send an email. You can send me messages at
hi+3mrw9gpkAN1Uc5ZUFxdNtxQhUiEvsWE1GveBkzNKYvqF@stavros.io)

I can see this having problems with revocation and password changes,
unfortunately. Namely, if your passphrase is compromised, you're screwed.

------
claudius
Could you add a “standard” mailto: link? I’m not using any of the popular
webmail providers, but this looks really nice otherwise :)

~~~
diafygi
After encrypting, the text area shows the encrypted message ("This message is
encrypted..."). So you can always manually copy that and paste it into your
own mail client :)

~~~
claudius
That is certainly true, thanks!

------
ClassicFarris
So are the emails stored in Gmail encrypted?

~~~
diafygi
Yes. This encrypts the message before opening the gmail compose window, so all
gmail sees is the encrypted message.

