
ProtonMail now the maintainer of OpenPGPjs email encryption library - edvbld
https://protonmail.com/blog/openpgpjs-email-encryption/
======
phunehehe0
In case anyone looks for the same thing, I saw "ProtonMail is community
software, funded by the community, and open source." and jumped to GitHub to
search. As stated in
[https://github.com/ProtonMail/WebClient/issues/5](https://github.com/ProtonMail/WebClient/issues/5),
the only open source part is the JavaScript based client, so you can't self-
host ProtonMail.

------
bigiain
So my first reaction there was "there goes another non-five eyes (or nine or
fourteen eyes) hosted mail service who've just painted a (or another) great
big target on themselves to attract even more NSA scrutiny".

(Second reaction was "Crypto in the browser in Javascript _again?_ Didn't was
already point out this is 'doing it wrong'?")

~~~
forgotpwtomain
So you'd prefer not to have any crypto at all? Because 99% of people are going
to use their browsers anyways.

Btw for example
[https://blockchain.info/wallet/#/](https://blockchain.info/wallet/#/) (in-
browser bitcoin wallet) I think has never been hacked - you might say it's a
huge outlier but it is _possible_ to do well.

~~~
hahooooo
The issue is like this.

I load [https://webmail.example.com](https://webmail.example.com).

I see my email.

My ISP doesn't see my email.

The NSA (or anyone else who can MITM https, such as my workplace, college,
etc.) can effectively turn it into http, and see the content.

We need to fix that.

So I write an encryption library in JS, loaded from
[https://webmail.example.com](https://webmail.example.com) . It loads the
email through an AJAX call from
[https://webmail.example.com](https://webmail.example.com), decrypts it, and
displays it.

The only issue is that whoever can MITMed the connection can also modify the
JS file to send the key to a C&C server.

So:

"Dumb" ISP can't read #1 mail

"MITM" ISP can read #2 mail

So what's the gain?

The only concern is that it's an active attack vs a passive attack, so no
plausible deniability.

But in most MITM scenarios, you don't need plausible deniability.

1\. Your workplace computer and the connection is owned by them, so they can
do what they want with it.

2\. Dictatorships give themselves whatever powers they want

3\. The NSA has enough side-channel attacks to exploit.

So in which situation will a "JS" encryption help?

~~~
jnbiche
> The NSA (or anyone else who can MITM https, such as my workplace, college,
> etc.) can effectively turn it into http, and see the content.

To be clear, unless NSA has some massive capabilities we haven't dreamed off,
properly implemented HTTPS cannot be MITM'ed (via SSL stripping, or other
means) by anyone who lacks access to your local machine. Specifically, by
properly-implemented SSL, I mean:

1\. Serving https only, no http

2\. HSTS

3\. Certificate pinning

The situation you mention regarding workplace computers is a little different
from the NSA, since they have the explicit authority and ability to install
root certificates on your local work computer. Without those root certs (like
if you use a personal computer at work), they lack the ability to MITM your
connection, assuming the above.

~~~
bigiain
If I'm the NSA, I'd already have stolen Protonmail's HSTS pinned cert's
private key (possibly by burning a zero day getting into one of their web
servers, possibly by "asking nicely" to some tech employee there for whom I
had appropriate leverage).

But yeah - short of nation-state or very high level LEO (who're just
piggybacking on their local NSA equivalent), HSTS with pinned certs is as
close to "secure" as we have right now.

~~~
ryanlol
This is why we have HSMs.

It can in fact be "impossible" to steal ones crypto keys.

~~~
bigiain
Yeah, but "stealing" them isn;t the NSA's only avenue to acquire them. With
Lavabit they just said "give us the keys so we can snoop all we want" \- I
suspect very few of us would be able to resist like Levinson did (as in, shut
your company and livelihood down, and hope they don't throw you in jail for
doing so). (Fortunately, most of us won't have users with as much heat coming
down on them as Snowden, but if you're building _anything_ privacy related you
owe it to yourself to consider how far you'd go to protect your users if one
of them turned out to be another Snowden...)

~~~
uncletaco
"stealing" is the only path the NSA can take in the case of ProtonMail, due to
their servers being hosted in Switzerland and not within the borders of a
nation that has a strong relationship with the US intelligence community.

~~~
bigiain
I'd bet good money that the NSA can outsource this to their
friends/counterparts/lackeys in any of five eyes, nine eyes, and fourteen eyes
countries - and through less official channels involving local or flown-in
thugs, pretty much everywhere else. They probably can't easily get Huawei's or
Baidu's private keys, but I bet there's tens or hundreds of thousands of
Protonmail sized companies in China/Russia/everywhere else that they _can_
strongarm the owners or sysadmin staff into handing keys over.

Or maybe I'm just in a way too "the whole world is fucked" mood today...

------
jpalomaki
Reminder for the obvious: Javascript is now longer just for web browsers and
GPG is not just for email. GPG is also used in B2B scenarios where files are
being passed between between servers.

Also Javascript based client applications installed locally are becoming more
common (think about Atom etc). Maybe we will soon also see Javascript based
desktop IMAP client.

~~~
girvo
> Javascript based desktop IMAP client

Nylas N1 is an example of this (and excellent, might I add)!

[https://nylas.com/](https://nylas.com/)

~~~
grinich
Thanks for the kind words! (I work at Nylas.)

Here's a blog post with more details about Nylas N1 and PGP:
[https://nylas.com/blog/pgp](https://nylas.com/blog/pgp)

------
wslh
I hope the will accept our pull request for adding secp256k1 to OpenPGP.js
enabling interaction with OpenPGP and use of cryptocurrency keys for
messaging: [https://github.com/Jaxx-io/openpgpjs-
secp256k1](https://github.com/Jaxx-io/openpgpjs-secp256k1)

------
cm3
It seems that WebCrypto is already implemented in browsers. Does this library
make use of it, or is it pure JavaScript? If so, why is that? Most crypto
algos are susceptible to side channel attacks, and trying to get that right in
JavaScript across browsers doesn't look generally possible.

------
mkohlmyr
Good stuff, paying customer and planning to stay one :) I do wonder though if
you are thinking about providing PM as a browser extension based app as well?
Would curb some of the issues people always bring up re crypto in browser.

