[tor-talk] Ideas to securely implement PGP encryption/decryption

Mike Perry mikeperry at fscked.org
Tue Oct 11 20:37:27 UTC 2011


Thus spake Moritz Bartl (moritz at torservers.net):

> On 11.10.2011 04:07, Mike Perry wrote:
> >> At the moment, I cannot think of any attack vectors once you combine it
> >> with enabled Torbutton (or a stripped down Tor Browser) where active
> >> scripting/access to the DOM is disabled completely.
> > Actually, these attacks are generally prohibited by strong isolation
> > between the content script and the XUL script. In XUL, you can read
> > the ciphertext, extract it, decrypt it, and display it in a protected
> > XUL window without introducing risk, IF all steps are done properly.
> 
> I was thinking of the obvious interaction a user expects for encryption
> of plaintext data: I type data into a web form, when I am done I execute
> the encrypt command.
> I don't see how you can isolate web forms in the DOM in a way that it
> cannot be read in between typing and encrypting the data.

Yes, good to clarify. I was assuming that all encryption and
decryption UI would be 100% independent of the normal content window,
aside from perhaps a context menu (though even that is prone to
deception issues and clickjacking).

The UI should not provide a way to encrypt text that has already been
typed into a form. Even non-malicious JS can screw you for that user
model. For example, Gmail will save plaintext drafts of your email
periodically "just in case", which will defeat the purpose of the
addon entirely.

The UI should open an alternate XUL window for user input using a
context menu or toolbar button, and should instruct users not to type
sensitive plaintext into existing form boxes prior to use of the XUL
window.

Lots of tough UI issues to solve on the encryption side, it seems.
Perhaps almost as tricky as safely handling the potential hostile
input and safely displaying the output for the decryption side.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111011/88881602/attachment.pgp>


More information about the tor-talk mailing list