

 Rate my startup - CertiVox's PrivateSky - bribriinlondon
https://privatesky.me
I've been a long time lurker on the board, but this is my first official post. My name is Brian Spector, I'm a long time crypto geek, working in infosec for about 20 years.<p>Last week we launched a new service called PrivateSky, which is a end to end, browser to browser encryption service, for free. Our first product is the PrivateSky for Internet Explorer add-in. Yes, we will come out with Firefox and Chrome soon.<p>I'd love to see what the board thinks about what we are doing, and if so, what we could improve.<p>I hope this is the appropriate place to post this, if I'm violating policy (checked, couldn't find anything), then please do let me know and I will delete this.<p>You can get the free PrivateSky Internet Explorer add-in at:<p>https://privatesky.me<p>What does it do?<p>CertiVox's PrivateSky SaaS is a major innovation in secure inforamtion exchange. The PrivateSky for Internet Explorer Connector add-in is a whole new approach to securing confidential information posted to the web, and anyone can use it. The PrivateSky for IE add-in doesn't require multiple passwords, certificates, or complicated processes to learn. It's simple browser to browser encryption that just works. Use it to encrypt your webmail, Facebook posts and messages, LinkedIn messages and even blog posts. PrivateSky uses the AES encryption algorithm, that means it is super safe!<p>Enough with the marketing schpeel, here's what we really do:<p>We operate an encryption key management server in the cloud. Our software connects to our key server to get everyone who enrols what we call a SkyKey. You can think of this like a private key. However, we are using a new form of key agreement called non-interactive authenticated key agreement, based upon bilinear pairing mathematics. No, this is not identity based encryption, this is non-interactive key agreement. It's heady stuff, but it has suffered through 20 years of cryptanalysis and is secured by the DLP.<p>Now, the thing is, there is no public key. There is only one key, your SkyKey. But, this enables you to create "connection keys", which are regular AES 192 bit keys. The analogy I always use is this: Suppose every time you made a friend on Facebook, a worldly unique AES key was created between you and your friend, and could only be created between you and your friend.<p>That's what we've managed to do, but in your browser. Oh, and there is a boatload of key protection, rotation, etc., going on in the background.<p>Again, love to get some feedback. I'm the chief bottle washer at the moment so I can't promise to respond to feedback immediately, but will try my best.<p>Thank you for giving it a shot and please let 'er rip, the good, bad and ugly.<p>Cheers,
Brian
======
bribriinlondon
Hi, sorry, the description didn't come though:

I've been a long time lurker on the board, but this is my first official post.
My name is Brian Spector, I'm a long time crypto geek, working in infosec for
about 20 years.

Last week we launched a new service called PrivateSky, which is a end to end,
browser to browser encryption service, for free. Our first product is the
PrivateSky for Internet Explorer add-in. Yes, we will come out with Firefox
and Chrome soon.

I'd love to see what the board thinks about what we are doing, and if so, what
we could improve.

I hope this is the appropriate place to post this, if I'm violating policy
(checked, couldn't find anything), then please do let me know and I will
delete this.

You can get the free PrivateSky Internet Explorer add-in at:

<https://privatesky.me>

What does it do?

CertiVox's PrivateSky SaaS is a major innovation in secure inforamtion
exchange. The PrivateSky for Internet Explorer Connector add-in is a whole new
approach to securing confidential information posted to the web, and anyone
can use it. The PrivateSky for IE add-in doesn't require multiple passwords,
certificates, or complicated processes to learn. It's simple browser to
browser encryption that just works. Use it to encrypt your webmail, Facebook
posts and messages, LinkedIn messages and even blog posts. PrivateSky uses the
AES encryption algorithm, that means it is super safe!

Enough with the marketing schpeel, here's what we really do:

We operate an encryption key management server in the cloud. Our software
connects to our key server to get everyone who enrols what we call a SkyKey.
You can think of this like a private key. However, we are using a new form of
key agreement called non-interactive authenticated key agreement, based upon
bilinear pairing mathematics. No, this is not identity based encryption, this
is non-interactive key agreement. It's heady stuff, but it has suffered
through 20 years of cryptanalysis and is secured by the DLP.

Now, the thing is, there is no public key. There is only one key, your SkyKey.
But, this enables you to create "connection keys", which are regular AES 192
bit keys. The analogy I always use is this: Suppose every time you made a
friend on Facebook, a worldly unique AES key was created between you and your
friend, and could only be created between you and your friend.

That's what we've managed to do, but in your browser. Oh, and there is a
boatload of key protection, rotation, etc., going on in the background.

Again, love to get some feedback. I'm the chief bottle washer at the moment so
I can't promise to respond to feedback immediately, but will try my best.

Thank you for giving it a shot and please let 'er rip, the good, bad and ugly.

~~~
gojomo
What does 'secured by the DLP' mean?

Does Certivox retain the ability to decrypt all messages?

FYI, nothing shows on the FAQ page when blocking Javascript, which is somewhat
common among the security conscious who may be your target audience.

~~~
bribriinlondon
The only way we could decrypt the message theoretically is if you brought it
to us in conjunction with a "bad actor" on our end. We're not like Hushmail,
we don't actually transport your message, we just give you the ability to
generate and re-generate the right encryption and decryption keys with one
click. Hope that helps. Yes, many debates about the accordion and javascript
usage internally. It is safe however, in case you feel adventerous on that
page. Cheers, Brian

------
JangoCuni
Am familiar with bilinear pairing and did not know it was available
commercially! Pretty cool.. On first glance it seems cumbersome to highlight
text first and then apply. Why not just automate the process for the entire
note? Also how are you making sure the recreation of the connection key is
authenticated?

~~~
bribriinlondon
It's done through the key agreement process itself. If you have the primary
private key (SkyKey) you can create the decryption key through the ID input.
So if I send something to you, it would be (my SkyKey + your ID "JangoCuni") =
unique AES key. To decrypt, you use (your SkyKey + "my ID") to get the same
unique shared secret (AES Key). Of course, you use the shared secret value to
encrypt the content encryption key.

We tried automating the process of the entire note but we found that people
really wanted to put their own language around it. When we hijacked the entire
note folks didn't recognize it and it's a lot more "trustable" (is that word
LOL) when it comes from a friend with some of their language.

~~~
JangoCuni
Presumably I can therefore make the shared secret derived through my own ID
(JangoCuni SkyKey + ID "JangoCuni") to save text anywehere just for me? Is
this possible in cloud storage – do you support bulk file upload processes?

~~~
bribriinlondon
Hi, we have a managed file transfer / bulk uploader coming out in a new
"professional" version in about six weeks, and yes, you can do put only
yourself into the Circle of Trust. In fact, I use Posterous as an online
password manager exactly like this. It's an encrypted blog, but only I can
open it. You could also use something like Tiddly Wiki and keep it local
(although IE complains about TW...sigh).

------
JOnAgain
I spent a few min clicking through the site I have no idea what it does,
though I now understand you're like the 'whiz-bang military'. Copy needs a lot
of work. Screenshots, demos, videos, something to let me know what using the
service is actually like.

~~~
bribriinlondon
Hi, did the video on the front of the site not work? Maybe we should make the
Watch it now button bigger? Cheers.

------
spreiti
This is pretty neat. I will try it out as soon as there is a version for
Chrome.

One suggestion: Decrypt the message automatically when the user opens the
page. I think it's cumbersome to manually decrypt the message everytime.

~~~
bribriinlondon
Yea, I agree. The problem we run into is that we need to run the identity of
the package creator by the recipient so they can determine whether they want
to open it or not. We're toying with the idea of remembering a preference
about your "trusted senders" and the auto opening them. Do you think that
would be a happy medium?

------
bribriinlondon
Coverage:
[http://www.pcmag.com/article2/0,2817,2388080,00.asp?kc=PCRSS...](http://www.pcmag.com/article2/0,2817,2388080,00.asp?kc=PCRSS05079TX1K0000992)

------
oliciv
I didn't know what it was. I clicked the "more information" button. I still
don't know what it is.

~~~
pbreit
Me neither. And who is Certivox? Hasn't Microsoft even declared Silverlight
dead? HN doesn't seem like the best place to announce an IE-only service.

~~~
bribriinlondon
We've got Chrome and Firefox coming out soon, as stated above. I'm sorry,
should we wait until then to declare our service? As far as who we are, we're
British, you can have a brief summary read here:
[http://certivox.com/index.php/about-certivox/news-events-
pre...](http://certivox.com/index.php/about-certivox/news-events-press/media-
resources/)

------
jivejones
Cool idea, although internet explorer / silver light isn't my cup of tea.

~~~
bribriinlondon
Thanks. As mentioned, we've got Chrome and Firefox coming out soon. Cheers,
Brian.

