firefox: decrypt the encrypted messages with GPG inside a web page

7 views
Skip to first unread message

Scot

unread,
Jun 22, 2022, 8:48:30 AMJun 22
to
On some web pages that are part of forums with messages posted by me, I
often add encrypted parts that contain personal technical data.
For example https://pasteboard.co/bor4l8dpzmbbo.png (see the final part)

But let's get to the point.

There is some extension for Firefox to decrypt them instantly or by
pressing some special key (as thunderbird does when a message contains
encrypted parts).

Yes, of course to the extension, the special private keys must be
provided, of course !!!

Dan Purgert

unread,
Jun 22, 2022, 11:27:05 AMJun 22
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Scot wrote:
> On some web pages that are part of forums with messages posted by me, I
> often add encrypted parts that contain personal technical data.
> For example https://pasteboard.co/bor4l8dpzmbbo.png (see the final part)

URL 404's here.

Seems kinda pointless to add encrypted data to a post you're making on a
forum though, unless you have the public key(s) of the intended
recipient(s) ...



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmKzNNsACgkQbWVw5Uzn
KGD++Q/+KqduQoxY025JlElgpKyLrWFztk7ZSCQvLkru7I0/t4O8cbAF0gsziUW/
wwlfiNzR450iLXjMcQvwlAhQnElgOI7wAZcW6pcqA6YZr6SZFWWgAaLEt5cpE35j
ddrwqeb3tLRBCwgnH/TpLLKVrDSdg2zigq9hoUcMNznjYwCUpzN6gGaIAVcV8E6c
8ZAwxp2pTKQuDw+9k6o5spYHr/XnpZwfLkUSzIHGXXyeNfsM6ela1/jdPs4F3/N2
Z3xMPdrcHuVIkwSNom5g32BpCXj3a0vOj9iKtMJ4rq3nKI1plrultSKbBoQaIhgY
w0Z46v/UsTYjuhXxtsxBJc0SAunZA3g7uiWwUpmZtMgSWUFZpq82IsyZ5ayLz26K
arhPAZmbcfCGm0z1S1fV4g+ScFmvMdZgPUj8ZqwnfCuZuetw+bQO7mNwQfFUko0M
zVvhoMf2RTNVG7o02p110kMoHDxkL/KasQV4kWNNjmqdimqfCU+Qkx2k8hAQjJkT
v7kXkof1klb/Ertk2g8uQ+WQmOqTRbHSyt+aLiqw+SYTQjcyGyAarT/OcN+pmvC4
kFokLScoSflPBHg/04Q3t/0gUTXLxCKjAJc+L2IKDax+/p5l+/FpGGSWMDzGl4uz
nGi2g6acFph/9YLkjrhrcad6eB5+Gorj/c0qobPRU3sDNVcTYPk=
=ZR7N
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

Aragorn

unread,
Jun 22, 2022, 12:19:46 PMJun 22
to
On 22.06.2022 at 15:27, Dan Purgert scribbled:

> Scot wrote:
> > On some web pages that are part of forums with messages posted by
> > me, I often add encrypted parts that contain personal technical
> > data. For example https://pasteboard.co/bor4l8dpzmbbo.png (see the
> > final part)
>
> URL 404's here.
>
> Seems kinda pointless to add encrypted data to a post you're making
> on a forum though, unless you have the public key(s) of the intended
> recipient(s) ...

About as pointless as adding 17 lines worth of PGP-related information
to what could have been a five-original-lines message body? :p

--
With respect,
= Aragorn =

Grant Taylor

unread,
Jun 22, 2022, 4:53:50 PMJun 22
to
On 6/22/22 9:27 AM, Dan Purgert wrote:
> Seems kinda pointless to add encrypted data to a post you're making on a
> forum though

Not necessarily.

The OP stated that they add "encrypted /parts/" which tells me that not
all of the post is encrypted.

As such, I'm speculating that the OP is using the forum as a way to
store -- let's go with -- non-public information in a way that puts the
burden of storage on the forum. In some ways it's sort of like a web
server sending cookies to the client for storage and later use by the
web server when re-visiting the same page / site.

There is also the possibility that the OP can privately share decryption
material with selected other people so that they can decrypt and work
with the data while everybody else can't.

It's probably a fairly atypical behavior, but it's one that I can see a
limited use case for.



--
Grant. . . .
unix || die

J.O. Aho

unread,
Jun 23, 2022, 4:20:56 AMJun 23
to
On 22/06/2022 14.48, Scot wrote:
> On some web pages that are part of forums with messages posted by me, I
> often add encrypted parts that contain personal technical data.
> For example https://pasteboard.co/bor4l8dpzmbbo.png (see the final part)
>
> But let's get to the point.
>
> There is some extension for Firefox to decrypt them instantly or by
> pressing some special key (as thunderbird does when a message contains
> encrypted parts).

There are Tana PGP and maybe some other, but the use is quite limited as
the web forum has to follow a standard setup by Tana PGP.
Without web forums following a standard, then you would need to build a
plugin for each forum-engine and then get users to follow a standard of
posting the encrypted data.

I think there is better ways to do this, like Mega.io or something
similar and share the link and share the keyword by PM to those you want
to give access.

--

//Aho


Scot

unread,
Jun 23, 2022, 4:48:27 AMJun 23
to
Il 22/06/22 17:27, Dan Purgert ha scritto:
> Scot wrote:
>> On some web pages that are part of forums with messages posted by me, I
>> often add encrypted parts that contain personal technical data.
>> For example https://pasteboard.co/bor4l8dpzmbbo.png (see the final part)
>
> URL 404's here.

https://pasteboard.co/oA3vg4BMxbIe.png

> Seems kinda pointless to add encrypted data to a post you're making on a
> forum though, unless you have the public key(s) of the intended
> recipient(s) ...

????

Scot

unread,
Jun 23, 2022, 4:59:30 AMJun 23
to
Il 22/06/22 18:19, Aragorn ha scritto:
I do it to have a single documentation, both public and private
(password, portions of code for tests, etc.), in one place.
Without keeping a separate file on your computer.

Scot

unread,
Jun 23, 2022, 5:03:46 AMJun 23
to
Il 22/06/22 22:54, Grant Taylor ha scritto:
Exactly!!!

Dan Purgert

unread,
Jun 23, 2022, 5:44:10 AMJun 23
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Anyone (everyone) can grab my public key, and verify the signature on
the message. Pretty obvious when something comes across from those
trolls that like to impersonate others too. Downside of the signature,
is of course, the extra traffic.

Nobody save Scot (and/or those people for whom he has the encryption
key) can read his "encrypted parts that contain personal technical
data".

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmK0NfwACgkQbWVw5Uzn
KGBMjQ/+PwScaz5gK8kR9mEEGFz2Vgv+p8HED8Cw4syh70o4ZZVfIP2m74rhOh3q
6VeFQxlSRX5qock5KBzpuCjkmJPc/e/g0X5vF5+JPuRM6d06gGDMT3pZsj1WMYZZ
GhUPPdmpqZ0z5accEof1KglQqZk2kh1H5Pn/THKvgnCPtnLjcwGwSNiuzNZ4JlHX
3x9trMOcnn94E5OFEbVL8ZyS0sD/ihYJ3PgHY5pioerA8+k5Fh32HyqmHdqTNaer
eseRqxadIGgaAncfXX8V5p4w1Wh4eVaTAi1e+P3egUHBMmyE533nB6JBaFnmlQaq
ygJhk080kH/4EyUtbNXqMMBQoOvdr18jwdYq9RaC2xDECaExH0uIKWwhyr1NXt18
KI1um0qSjbYsm8hWwc57WeoX6g44WhKtqRXgBPpcHwOAN3qYJiisYcIwUrE8QnXT
CREKfyXgYoPwRKEa+3Nl7Jeky0q7XbQ88ZthrfOciUD0ITxMIjvIPUyKZbPQAOd/
qYubkEvuynOXiaPGMm1YQxrk+1gH8vEuOA61X3QK9ouahtVqDGikHoxvwGqUJb7N
Bn0p3wdO9uQw3mz5hOcv3yLdrhE5nnBiCO3Ny+d1gmnOj8vT+mwvZiUNjqW64a/n
uhZ+XWV10mvqyzfeRMmiLNuJKhAmwbXrKDwUIR28KTzu/s2u2ns=
=uzJE

Mike Easter

unread,
Jun 23, 2022, 1:54:03 PMJun 23
to
Dan Purgert wrote:
> Aragorn wrote:
>> Dan Purgert scribbled:
>>
>>> Seems kinda pointless to add encrypted data to a post you're making
>>> on a forum though, unless you have the public key(s) of the intended
>>> recipient(s) ...
>>
>> About as pointless as adding 17 lines worth of PGP-related information
>> to what could have been a five-original-lines message body? :p
>
> Anyone (everyone) can grab my public key, and verify the signature on
> the message. Pretty obvious when something comes across from those
> trolls that like to impersonate others too. Downside of the signature,
> is of course, the extra traffic.
>
If we are going to have a meta discussion of pgp/gpg uses as it applies
to newsgroup messages, I'll give my opinions.

- in terms of how one should 'defend themselves' against newsgroup
'sporgers' (spoofs and forgers), I believe that there are better and
more efficient ways to combat that problem than clearsigning

- in terms of people using their newsreaders to *practice*
clearsigning and authenticating, historically there have been specific
newsgroups where people routinely do such clearsigning with each other
and helping those who aren't yet familiar w/ the tools for clearsigning
and verifying

- in order to verify a clearsigning, one needs to acquire the DP
public key, put it into a key manager which is integrated with a news
client which is equipped to do that. I would say that normally, few to
almost none in this group are so equipped and configured. Personally I
have acquired DP's key and I use pgpdump as a tool; but my news client
is NOT configured to routinely verify clearsigning. I only use pgp/gpg
tools to authenticate linux .iso/s or their hashes w/ a system that is
configured for that purpose

- if I were participating in groups where there was active sporgery
and wanted to (or 'had to' defend myself, I would be using a provider
which required reg and also allows the account to configure the MID.
DP's eternal-september does just that; he could configure his e-s
account for a 'personalized MID stamped by e-s instead of his slrn. No
one could forge his personalized e-s MID (without an unusual tool/agent
which I haven't seen employed in common sporgeries). My provider, which
is a lowcost pay NSP also provides that feature, and pay NSPs are
/never/ employed by sporgers.

- this group hasn't been having a problem w/ sporgery, so the basis
for clearsigning everything here is weak.



--
Mike Easter

Mike Easter

unread,
Jun 23, 2022, 3:05:17 PMJun 23
to
Mike Easter wrote:
>
>  - if I were participating in groups where there was active sporgery
> and wanted to (or 'had to' defend myself, I would be using a provider
> which required reg and also allows the account to configure the MID.
> DP's eternal-september does just that; he could configure his e-s
> account for a 'personalized MID stamped by e-s instead of his slrn.  No
> one could forge his personalized e-s MID (without an unusual tool/agent
> which I haven't seen employed in common sporgeries).  My provider, which
> is a lowcost pay NSP also provides that feature, and pay NSPs are
> /never/ employed by sporgers.
>
I should explain this situation w/ e-s better, because while MID
sporgery is pretty easy (or not too hard), forging the Path by
preloading is easier to catch.

In the example of a DP e-s Path:

> Path: uni-berlin.de! fu-berlin.de! news.karotte.org! news2.arglkargh.de! news.mixmin.net! eternal-september.org! reader02.eternal-september.org! .POSTED!not-for-mail

(bangs separated for wrapping)

... the important part is the insertion at reader02.e-s. If DP chose to
configure his e-s account in the account field for 'Register FQDN' you
are given the ability to provide a subdomain name which is added to
yoursubdomain.eternal-september.org.

Then, optionally one can let e-s stamp the MID that way, which is
'difficult' for sporgers to forge, but even more importantly in terms of
forgery detection, the *Path* is stamped as the injection being that
subdomain.e-s instead of reader02.e-s.

--
Mike Easter

jjb

unread,
Jun 23, 2022, 3:28:56 PMJun 23
to
On 23-06-2022 19:54, Mike Easter wrote:

>  - in order to verify a clearsigning, one needs to acquire the DP public
> key, put it into a key manager which is integrated with a news client
> which is equipped to do that.  I would say that normally, few to almost
> none in this group are so equipped and configured.

You may be right. I may be one of the few (using Thunderbird to read
both mail and postings, integrated with gpg).
Reply all
Reply to author
Forward
0 new messages