

Show HN: gpgsend.com - encrypted emails from your browser. - shocks
http://gpgsend.com/

======
mtogo
| What about SSL?

| SSL will not be helpful here, since no sensitive information is ever sent to
this server. All encryption is done BEFORE it leaves your computer!

This made me cry.

And that's not even mentioning that I'm typing a possibly sensitive message
into your app and just _hoping_ that you're going to encrypt it with the right
key and not read it yourself.

~~~
shocks
Heh, yeah I guess you are right. Getting an SSL certificate now. Not sure what
to do about "proving" I'm not doing anything untoward with the message?

~~~
tptacek
You really can't, but that unfortunately doesn't make it not an issue.

~~~
shocks
I am going to put the source code up on GitHub, so if people really don't
trust me that can run their own! :)

~~~
tptacek
Nobody is suggesting that they don't trust you, are they? I'm just observing
how bad web browsers are for the kind of UX you hope to have.

------
jannes
<http://www.matasano.com/articles/javascript-cryptography/>

~~~
shocks
Thanks for the link, a very interesting read. I've been brainstorming some
solutions with a friend and we think that perhaps the problem could present an
interesting research project. The idea of digitally signed and verified
Javascript, maybe a browser plugin to check these signatures, etc.

~~~
jannes
That's an interesting idea, but you still have the problem that essentially
everything in the browser can be MITMed. Even SSL isn't really secure. Just
look at the recent CA incidents or the BEAST exploit.

------
tresta
This should really be ssl enabled.

Not only because of the risk of data being intercepted when sent to the
server, but also to mitigate the risk of a MITM attack.

~~~
shocks
Applying for an SSL certificate now. Thanks for your feedback! :)

------
codecaine
did you do the JS implementation of PGP yourself? Really cool service btw.
Maybe you could write up a nopaste-tool which encrypts the stored contents
before they get posted to your server.

~~~
shocks
I actually use the Javascript PGP implementation found here:
<http://www.hanewin.net/encrypt/> but I do plan to implement my own soon. I'm
hoping to add a file encryption utility too, but I don't think the current PGP
implementation will allow that so easily.

I'm not quite sure I understand what you mean by a nopaste-tool?

Thanks for your feedback! :)

~~~
codecaine
I don't know what the term for those sites is. Something like
<http://nopaste.info/>. How do you plan to implement file encryption in JS?

~~~
shocks
I was hoping to use Javascript to encrypt the file locally and then upload the
encrypted file to my servers for email or downloading. I'm not really sure on
exactly how I would do it yet. :) Maybe with some HTML5 local storage?

------
the-kenny
Looks like it doesn't respect additional UIDs. I have one uid for my
@googlemail address and one for my @gmail address. I can't send to @googlemail
using your tool.

~~~
shocks
Ah thanks for that, I'm working on a patch now! :)

------
Kenan
The title should link back to the home page. Other than that, great job!

~~~
shocks
Updated. Thanks for the feedback, greatly appreciated. Cheers!

