In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support. ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.
Currently, ProtonMail uses RSA keys, but this addition of ECC support to their web encryption library may mean that they are about to start switching users to ECC keys. Because using "larger" (when compared with equivalent theoretical strength RSA keys, for example) ECC keys is less resource intensive than using higher security keys in some other forms of cryptosystems (like RSA) it may also be an indication that ProtonMail is preparing to upgrade users to higher security/stronger keys.
Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
>Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
> In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support.
Wow...I'm sort of shocked that wasn't a v1.0 consideration.
> ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.
In particular, elliptic curves have smaller parameters, which allow for smaller keys at the same bit security level. For example, to achieve 128-bit security, an RSA/DLP modulus must be 3072 bits. Elliptic curves achieve the same security level with only 256-bit parameters. They are also faster for most operations, but RSA is still technically faster for signature verification.
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
True, but elliptic curve cryptography is just as vulnerable to quantum computers, however long off that problem may be.
What is the threat model for PGP in JS? Like, is there an Alice, Bob, Carol, Eve story under which PGP in JS makes sense?
The canonical example that IMO doesn't make sense is when Alice and Bob want to communicate privately using Eve as an webmail provider who wants to snoop in on the communications. Alice and Bob can't just trust Eve to provide a copy of OpenPGPjs in a <script> tag on EveMail.com, because then they're trusting Eve to provide a legitimate PGP implementation, trusting Eve not to log their keystrokes in JS, etc.
I can understand OpenPGPjs as a server-side library in Node (though I suspect it would be safer to run a battle-hardened library like GPG with node FFI).
But, in client-side web code, how could this ever make sense?
One user story is that Alice uses Eve's webmail, and Bob uses PGP and mutt on his laptop. Before Eve's webmail supported PGP in JS, Bob had to send his emails to Alice unencrypted (and unsigned), which meant his mail provider could read the plaintext (even if he trusted that mail provider to always require a TLS connection when sending to Eve's servers).
From Alice's point of view, she is just using webmail as she always has, except now she has the assurance that no one (other than Eve) can spoof Bob's identity, and that Bob's mail server isn't reading the messages she sends him (unless Eve is deliberately leaking the plaintext somehow despite sending Bob the encrypted version).
Long term it would be nice if the W3C's SRI standard was extended to allow offline signing of JavaScript files:
I've been looking for gmail alternatives and this is my conclusion. Protonmail plays the part of the secure and private email provider, but, technologically, can't provide that. The only concrete thing their users have going is the superior legal environment of Switzerland. A less-than-concrete comforter is that if we believe that the people behind Protonmail believe in privacy, we'll tend to think they're more likely to try to protect ours if push comes to shove. This makes me look for alternatives.
Subresource integrity means you could trust Eve in some cases. Also if Eve provides a script tag from a trusted CDN it could work. You would have to check it every time though.
What might help is a browser extension that tracks changes and allows you to “lock” into a version of a website.
The project looks really cool! But...the fact that the website has a certificate error doesn't inspire much confidence. Especially since it's a security tool. :(
They are probably using it underneath. Webcrypto by itself is just a set of primitives, you need a higher level abstractions to do anything useful in real world.
I don't get it. Protonmail still doesn't support PGP, yet they're working on open source libraries for other people to implement PGP? I don't understand these priorities.
vabmit|8 years ago
Currently, ProtonMail uses RSA keys, but this addition of ECC support to their web encryption library may mean that they are about to start switching users to ECC keys. Because using "larger" (when compared with equivalent theoretical strength RSA keys, for example) ECC keys is less resource intensive than using higher security keys in some other forms of cryptosystems (like RSA) it may also be an indication that ProtonMail is preparing to upgrade users to higher security/stronger keys.
Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
chapill|8 years ago
Not what I've heard.
https://threatpost.com/nsas-divorce-from-ecc-causing-crypto-...
Shoothe|8 years ago
Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
dsacco|8 years ago
Wow...I'm sort of shocked that wasn't a v1.0 consideration.
> ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.
In particular, elliptic curves have smaller parameters, which allow for smaller keys at the same bit security level. For example, to achieve 128-bit security, an RSA/DLP modulus must be 3072 bits. Elliptic curves achieve the same security level with only 256-bit parameters. They are also faster for most operations, but RSA is still technically faster for signature verification.
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
True, but elliptic curve cryptography is just as vulnerable to quantum computers, however long off that problem may be.
dfabulich|8 years ago
The canonical example that IMO doesn't make sense is when Alice and Bob want to communicate privately using Eve as an webmail provider who wants to snoop in on the communications. Alice and Bob can't just trust Eve to provide a copy of OpenPGPjs in a <script> tag on EveMail.com, because then they're trusting Eve to provide a legitimate PGP implementation, trusting Eve not to log their keystrokes in JS, etc.
I can understand OpenPGPjs as a server-side library in Node (though I suspect it would be safer to run a battle-hardened library like GPG with node FFI).
But, in client-side web code, how could this ever make sense?
dane-pgp|8 years ago
From Alice's point of view, she is just using webmail as she always has, except now she has the assurance that no one (other than Eve) can spoof Bob's identity, and that Bob's mail server isn't reading the messages she sends him (unless Eve is deliberately leaking the plaintext somehow despite sending Bob the encrypted version).
Long term it would be nice if the W3C's SRI standard was extended to allow offline signing of JavaScript files:
https://github.com/w3c/webappsec/issues/449
and for browsers to prompt you whether you wanted to run a new (offline signed, maybe independently audited) version of those files.
dmos62|8 years ago
johannes1234321|8 years ago
One would of course still need a protection against key logging etc. (eventually the web extension has relevant matter only in a pop-up?)
crispyporkbites|8 years ago
What might help is a browser extension that tracks changes and allows you to “lock” into a version of a website.
WhatIsDukkha|8 years ago
https://github.com/kylehuff/webpg-chrome
We deserve a better userspace from our browsers. The excuse that "users" don't want this because its "hard" is circular.
theli0nheart|8 years ago
sphix0r|8 years ago
It's shocking how much sensitive data is sent by mail (contracts, passwords, lawyers, etc..) without pgp signing / encryption on a daily basis.
woranl|8 years ago
Shoothe|8 years ago
xs|8 years ago
protonmail|8 years ago
vabmit|8 years ago