
OpenPGPjs has passed an independent security audit - testloop
https://protonmail.com/blog/openpgpjs-protonmail-security-audit/
======
Sir_Cmpwn
Not that it matters. They could silently replace it with a backdoored script
and your browser would never tell you it happened.

And to preempt the ProtonMail rep who is probably going to respond to this
comment, I know that you can run the web app on localhost. But that doesn't
mean that users who don't are any more secure.

~~~
tlrobinson
This (rightfully) comes up every time some browser-based encryption tool is
posted. It seems like the desire for such tools isn’t going to go away. Is
anyone working on solutions for making distribution of JavaScript applications
more secure?

There’s a range of assurances you could try to provide, e.x. signatures from
the author (or even 3rd parties), prompting for updates, etc. It would likely
require support from browsers.

At one point I investigated using service workers to intercept subsequent app
updates to check signatures but there was no way to prevent the service worker
itself from being replaced (probably because it would be easy for a site to
permanently “brick” itself in users browssr).

~~~
syoc
Have a look at [https://w3c.github.io/webappsec-subresource-
integrity/](https://w3c.github.io/webappsec-subresource-integrity/)

~~~
tlrobinson
That’s a start, but if the main resource (the HTML page) can be modified it
doesn’t help.

If you could require the root page be cryptographically signed (but by who?)
and optionally prompted for updates then we’re talking.

------
krn
I have zero trust in Proton<anything> after learning, that the free ProtonVPN
service is provided by a data mining company from Eastern Europe[1].

[1]
[https://news.ycombinator.com/item?id=17258203](https://news.ycombinator.com/item?id=17258203)
(please turn on "showdead" in settings, to see the entire thread)

~~~
prophesi
Please, that's not a verified claim[0], and you shouldn't trust any VPN
service that isn't operated by you in the first place.

[0]: Plus, it was raised by a competitor, Private Internet Access, so it makes
it even more difficult to get the facts straight.

~~~
krn
> Please, that's not a verified claim[0], and you shouldn't trust any VPN
> service that isn't operated by you in the first place.

The co-founders of ProtonMail were caught providing multiple inaccurate
statements about their business practices in that thread, and couldn't deny
any of the facts stated by the co-founder of PIA[1].

[1]
[https://news.ycombinator.com/item?id=17262566](https://news.ycombinator.com/item?id=17262566)

~~~
close04
Which part of the world should any service be provided from to be trustworthy?
Let me rephrase, which services are known to have never cooperated with any
agency, nor ever being hacked by them?

~~~
ltc5505
... Facebook

------
makmanalp
> The only limitations come from the platform itself (JavaScript/web), which
> do not allow for side channel resistance or reliable constant time
> operations. Overall however this is an exceptional library for JavaScript
> cryptography.

How would this compare to something like WebCrypto, which assume would be
implemented in a way that would allow for side channel resistance etc? It does
seem surprising that we don't have something like a browser API version of
libsodium in widespread use already.

~~~
bartbutler
You are confusing crypto primitives with a high-level spec like OpenPGP.
OpenPGPjs used WebCrypto and node crypto libraries when available for
primitives. You still need a library for the OpenPGP stuff.

~~~
makmanalp
Whoops, I see my mistake, thanks.

~~~
dane-pgp
I think you're right to pick up on this "side channel resistance or reliable
constant time operations" wording, actually. If the OpenPGPjs library is using
WebCrypto for the primitives, then what are the non-constant time operations
and JavaScript-specific side channels that have security implications? Such a
claim should really be accompanied by a specific threat model.

Is the supposed threat actor a MitM that can use the timing of the packets
your browser sends to work out when you stopped typing your email and when the
email was sent to the server, allowing them to calculate the time taken by the
encryption operation and thus infer something about the plaintext of the
email?

Alternatively, is the threat actor someone running JavaScript code in another
tab of the same browser, who can infer how much CPU the browser is using at
any given time, with enough accuracy to reveal bits of the private key?

Perhaps they are imagining an attacker who could do both, and it would be very
interesting to see a practical attack along these lines, but I still think
that a decent WebCrypto implementation should make it close to impossible for
an attacker to extract any useful information unless the user is sending
billions of emails through the ProtonMail web client.

~~~
bartbutler
I also think exploiting it would be extremely difficult. IIRC, it was NIST ECC
curves which are hard to make constant time and do not have WebCrypto
primitives. We are still going to see what we can do to address this.

------
bankspot
Have any current protonmail users experienced denial of service from online
providers solely because of their email address?

~~~
amaccuish
Yupp. My account at a particular website was terminated. They pointed to their
TOS, where "anonymous" address are not allowed. Wasn't even given the chance
to keep the account and change the email to an "acceptable" one.

~~~
driverdan
What service? Name and shame.

~~~
amaccuish
Not gonna reveal as it's got to do with my private life :p

------
sshb
It seems that easier approach would be to compile Go's openpgp library or
something higher level like
[https://github.com/lastochkanetwork/easypgp](https://github.com/lastochkanetwork/easypgp)
into wasm.

------
woranl
Why not use WebCrypto instead? No library needed.

~~~
bartbutler
You are confusing crypto primitives with a high-level spec like OpenPGP.
OpenPGPjs used WebCrypto and node crypto libraries when available for
primitives. You still need a library for the OpenPGP stuff.

~~~
acdha
Does OpenPGPjs use WebCrypto to create keys which are not extractable? That's
the big win here if you can make it impossible for a compromised client to
leak keys which were used before/after the compromise.

~~~
Boulth
This also means you can't use another computer or that your key is lost if you
clear browser data. Unless you'd do backups but I doubt this is standard
procedure of ProtonMail users.

~~~
acdha
That's true assuming that the browser doesn't offer any way to manage that
using e.g. Chrome/Firefox Sync.

What PGP really needs is a modern security model so you'd have many device
keys registered to an identity rather than requiring the risk of spreading
copies around. I think I have IIRC 8 GPG subkeys currently (6 of them being
Yubikeys) and every aspect of that toolchain is unacceptable in the modern
era.

~~~
Boulth
I've got the same setup with subkeys per Yubikey (though I had to rotate due
to Infineon).

What do you mean by "device keys"? Something like forward secrecy keys for
initial session setup as used by e.g. Signal? This could be done with some
effort... actually Rust OpenPGP library Sequoia developers already work on
making this use case easier.

Another set of patches circulating on the ML adds support for TPM bound keys,
that are non extractable.

------
EGreg
Thanks to the great folks at PARAGONIE our open source platform (ie you can
actually tell the code is always the same and you can host it yourself) also
just passed an independent security audit:

[https://paragonie.com/audit/L7TtZbFoJBxR91Xg](https://paragonie.com/audit/L7TtZbFoJBxR91Xg)

I didn’t think it was worth it to post to HN as news, though. Perhaps I should
start posting our achievements a bit more.

Like for example our Group Rides feature:

[https://youtu.be/PHuYV7q7NeM](https://youtu.be/PHuYV7q7NeM)

~~~
yacn
> Perhaps I should start posting our achievements a bit more.

Maybe, but don't do it in someone else's thread trying to steal the spotlight
from them... Really bad taste.

~~~
EGreg
How am I stealing the spotlight from them? They are on the front page, whereas
mine is just a comment that's relevant to it. They still have the spotlight,
the link is still there and my comment only adds to the number of comments on
the story.

If anything, the comments saying that they shouldn't be trusted, etc. harm
them more than my comment.

Actually my comment should be: I don't think being audited by a third party
firm is newsworthy, this is us being audited and we didn't post it.

~~~
DoreenMichele
PR is hard. Replies like the one you got are a hint that you need to learn a
lot more than just "This right here that I thought was not really newsworthy
is totally newsworthy."

;)

(Chin up and all that. This is not intended to be in any way hostile.)

