Proposal: PGPmail Plugin for Netscape/Mosaic
Modemac
I don't know C, unfortunately, otherwise I'd program this myself. So
instead I'm putting it up for debate, and to encourage any cypherpunk to
give it a shot if he/she thinks it's a good idea.
The idea behind this utility is to encourage the use of PGP for sending
email. Currently, using PGP with email requires you to compose the
message, get the recipient's public key, encrypt the message, upload it
to your system (or transfer it over using the clipboard), and email it.
It would be much easier if sending a PGP email message was as simple as
clicking a mouse. This, this idea for a PGP plugin. It goes like this:
You create a small text file containing an email address and a PGP public
key. Your own email address and key would be the best choice, of course,
but it doesn't have to be yours. Place that file on your Web page with a
unique extension, such as public_key.key. Include a link to this text
file on your page, with a standard anchor like this:
<li><a href="http://public_key.key">Click here to send me a PGP email message</a>
When your Web browser reads a .key file, it invokes the PGPmail plugin
utility. This utility calls up a window that allows you to compose your
email message (just like a standard email form). When you have finished
composing the message, you click the "Send" button as usual. The utility
then does the following:
- Reads the public key from the .key file.
- PGP-encrypts the message with that public key, using the PGP -eat option.
- Emails that PGP-encrypted message to the address given in the .key file.
The major advantage of this utility is that it would allow you to send an
email message to anyone who puts their public key onto their Web page in
this fashion, without having to go through the rigamarole of getting the
public key, saving it to a file, encrypting the message, emailing the
message, and then deleting the public key again (to keep from bloating
your keyring, especially if it's not someone you plan to have a regular
conversation with).
It would also ensure security on your part, because the PGP encryption
would take place entirely on your own system. You wouldn't have to
depend on a CGI script and someone else's copy of PGP, because the email
process doesn't take place until *after* you have encrypted the email
message.
The ability to send a PGP-encrypted email message with one click of the
mouse would result in an explosion of PGP use over the Web. It would
allow safe transactions of private information, such as people already do
with PGP - but it would be so EASY that anyone with a Web browser could
do it!
--
Reverend Modemac (mod...@netcom.com)
First Online Church of "Bob" "There is no black and white."
PGP Key Fingerprint: 47 90 41 70 B4 5B 06 90 7B 38 4E 11 8A ED 80 DF
URL: http://www.tiac.net/users/modemac/
(FINGER mod...@netcom.com for a FREE SubGenius Pamphlet!)
whg...@amaranth.com
I have gone on a different tact with this.
I am in the process of writting a series of rexx scripts that integrate PGP
with my e-mail program MR/2ICE. It will handle automatic inbound processing;
verify sigs, auto decrypt, auto add keys; auto outbound processing, signing,
encrypting; plus a wide varity of options "on-demand" while reading/writing
messages.
I have also written a small key server that works with MR/2ICE. Users can
add keys, retreive keys, get a list of keys, get the entire key ring, &
retreive a FAQ on how to use the key server.
--
-----------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting WebExplorer & Java Enhanced!!!
Look for MR/2 Tips & Rexx Scripts
Finger whg...@amaranth.com for PGP Key and other info
-----------------------------------------------------------
.. Get OS/2 - the best Windows tip around!
-- MR/2 2.26 NR
Modemac
do it.
Michael Babcock
What if the program in question were a true Netscape plug-in?
Procedure would then be to put your public key (in binary form because
it's smaller) in a file name with your E-mail address and with the
extension .pkey
example:
<embed src="mbab...@cyberbeach.net.pkey">
The Netscape plug-in would be activated and display a standard image /
text explaining that this is the person's public key ... and you click
to send a private E-mail. Right-clicking would allow checking
signatures, adding the key to your keyring, signing the key and
sending the person an encrypted message.
- Michael T. Babcock - Programmer, Privacy Activist, Wannabe artist -
- HTTP://WWW.FELDSPAR.COM/~MBABCOCK -
----THIS PERL SCRIPT IS ILLEGAL TO EXPORT FROM THE USA ----
#!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL
$m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa
2/d0<X+d*La1=z\U$n%0]SX$k"[$m*]\EszlXx++p|dc`,s/^.|\W//g,print
pack('H*',$_)while read(STDIN,$m,($w=2*$d-1+length($n)&~1)/2)
Modemac
whg...@amaranth.com wrote:
: I am in the process of writting a series of rexx scripts that integrate PGP
: with my e-mail program MR/2ICE. It will handle automatic inbound processing;
: verify sigs, auto decrypt, auto add keys; auto outbound processing, signing,
: encrypting; plus a wide varity of options "on-demand" while reading/writing
: messages.
Your suggestion is useful, but I think I should clarify my proposal. I'm
*not* looking for a utility that is designed to handle all of your PGP
functions; rather, what I'd like to see is a simple utility with one
single, direct purpose: to enable you to send a PGP-encrypted email
message from a Web page, with one single click of the mouse, in a fashion
similar to the way the <mailto:> function works in standard HTML.
My reason for encouraging the development of a single plugin utility of
this sort is to encourage the use of PGP among people sending email. The
vast majority of email messages sent over the Net, especially from Web
pages, are not encrypted because it is far easier for people to simply
add a <mailto:> link to their Web page, rather than programming in a
complex Java application. Even the Web pages that should use PGP mail
all the time -- such as the anonymous remailer Web pages -- are set up in
the standard fashion because there is currently no easy way to integrate
PGP into a Web browser.
PGP encryption should become a standard with the *sending* of email
through a link on a Web page, because it will: a) result in an increase
of the number of encrypted email messages (more privacy that way), and b)
encourage the developers of email-management software to make PGP a
standard in their design. PGP still isn't included in most software
packages, because the vast majority of email messages are not encrypted.
While work in this area is proceeding, it isn't moving fast enough. If
there was a sudden increase in the number of PGP-encrypted email messages
passing back and forth, then this would increase the *demand* for email
packages with a PGP management system. The best way to increase this
demand is to introduce PGP into the mainstream, where the Great Unwashed
Masses can use it quickly and easily. And the best way to do this is to
include a simple plugin utility that is simple to set up and even simpler
to manage.
RealAudio has become a standard on many Web pages because the RealAudio
plugin is easy to use. A PGPmail plugin could conceivably have the same
effect.
whg...@amaranth.com
As far as the part of sending encrypted mail from a web page this is rather
easy to do with no plug-in required.
On the server you would need a copy of PGP & the public key of who the
mail-link was for. Then when the send button is pushed one calls a cgi
script which calls pgp to encrypt the message. This message is then sent on
it's way with out the end user having to interact with PGP at all.
Now the receiver of the mail would have to have a full PGP set-up to handle
the incomming mail. :)
--
-----------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting WebExplorer & Java Enhanced!!!
Look for MR/2 Tips & Rexx Scripts
Finger whg...@amaranth.com for PGP Key and other info
-----------------------------------------------------------
.. What I like about MS is its loyalty to customers!
-- MR/2 2.26 NR
Modemac
whg...@amaranth.com wrote:
>On the server you would need a copy of PGP & the public key of who the
>mail-link was for. Then when the send button is pushed one calls a cgi
>script which calls pgp to encrypt the message. This message is then sent on
>it's way with out the end user having to interact with PGP at all.
Unfortunately, there is one problem with this idea: by invoking the cgi
script, you are relying on someone else's copy of PGP to do your
encryption. Would YOU want to encrypt your own private email messages
on someone else's system? I certainly wouldn't.
The only way for people to be truly secure with encrypting email is to do
it on their own systems, and have the message fully encrypted BEFORE it
is sent to the Net, or even before the Net intereacts with their systes
in any way.
Hence, the need for a PGPmail plugin application.
David j. Sopuch
whg...@amaranth.com wrote:
>
> In <modemacD...@netcom.com>, mod...@netcom.com said:
>
> >functions; rather, what I'd like to see is a simple utility with one
> >single, direct purpose: to enable you to send a PGP-encrypted email
> >message from a Web page, with one single click of the mouse, in a fashion
> > similar to the way the <mailto:> function works in standard HTML.
>
> >My reason for encouraging the development of a single plugin utility of
> >this sort is to encourage the use of PGP among people sending email. The
> > vast majority of email messages sent over the Net, especially from Web
> >pages, are not encrypted because it is far easier for people to simply
> >add a <mailto:> link to their Web page, rather than programming in a
> >complex Java application. Even the Web pages that should use PGP mail
> >all the time -- such as the anonymous remailer Web pages -- are set up in
> > the standard fashion because there is currently no easy way to integrate
> >PGP into a Web browser.
We're working on this. We've tried the DDE SDI approach, and though
it works, v2.01 and higher versions of Netscape now present a
'Security warning' dialog when a custom protocol ( pgpmailto: ) is
accessed.
So that approach is not acceptable. We now looking at a more
complex, alternative approach. If we are lucky if should be done by
the end of July.
> As far as the part of sending encrypted mail from a web page this is rather
> easy to do with no plug-in required.
>
> On the server you would need a copy of PGP & the public key of who the
> mail-link was for. Then when the send button is pushed one calls a cgi
> script which calls pgp to encrypt the message. This message is then sent on
> it's way with out the end user having to interact with PGP at all.
>
> Now the receiver of the mail would have to have a full PGP set-up to handle
> the incomming mail. :)
Yes, but the information is not encrypted during the transfer from
the web page to your server CGI script. Plus, writing CGI
scripts is far more difficult than using the mailto: url.
--
David j. Sopuch
Datamax Research corp. http://www.iwinpak.com
** PageCommerce - the No Server PGP Commerce Solution **
** MailMerce - the $99 PGP Mail Commerce Solution **
whg...@amaranth.com
>
>whg...@amaranth.com wrote:
>>On the server you would need a copy of PGP & the public key of who the
>>mail-link was for. Then when the send button is pushed one calls a cgi
>>script which calls pgp to encrypt the message. This message is then sent
on
>>it's way with out the end user having to interact with PGP at all.
>Unfortunately, there is one problem with this idea: by invoking the cgi
>script, you are relying on someone else's copy of PGP to do your
>encryption. Would YOU want to encrypt your own private email messages
>on someone else's system? I certainly wouldn't.
>The only way for people to be truly secure with encrypting email is to do
>it on their own systems, and have the message fully encrypted BEFORE it
>is sent to the Net, or even before the Net intereacts with their systes
>in any way.
>Hence, the need for a PGPmail plugin application.
>
I was not intending this for the experianced user. I personally would never
send any sensitive info over a web page. I would use PGP & E-Mail. This
thread originally started as a way for the "unwashed masses" to send
encrypted mail via a web page.
To have a PGP plugin would still have all the problems mentioned earlier of
key management & encryption for an inexperianced user. IMHO you can not have
a "secure" encryption method & have the end user know nothing about what is
going on.
The closest thing to that is to have everyone using "sercue browsers" &
"secure servers" where all data is encrypted & a "trusted" third party
verifing the authentisity of those sending the data. Even this approach has
sever limmitations.
And to be truely honest the "unwashed masses" have never cared about
security and never will. Just take a look at how many CC#'s & Calling Card
#'s get stollen each year. It is just an unfortunate fact that the "unwashed
masses" are and always be the "unwased masses".
--
-----------------------------------------------------------
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting WebExplorer & Java Enhanced!!!
Look for MR/2 Tips & Rexx Scripts
Finger whg...@amaranth.com for PGP Key and other info
-----------------------------------------------------------
.. Windows: an Unrecoverable Acquisition Error!
-- MR/2 2.26 NR
Rene Eberhard
> >
> >whg...@amaranth.com wrote:
> >: I am in the process of writting a series of rexx scripts that integrate
> >PGP : with my e-mail program MR/2ICE. It will handle automatic inbound
> >processing; : verify sigs, auto decrypt, auto add keys; auto outbound
> >processing, signing, : encrypting; plus a wide varity of options
> >"on-demand" while reading/writing : messages.
> As far as the part of sending encrypted mail from a web page this is rather
> easy to do with no plug-in required.
> On the server you would need a copy of PGP & the public key of who the
> mail-link was for. Then when the send button is pushed one calls a cgi
> script which calls pgp to encrypt the message. This message is then sent on
> it's way with out the end user having to interact with PGP at all.
> Now the receiver of the mail would have to have a full PGP set-up to handle
> the incomming mail. :)
Humm. CGI-Scripts are not the right way to handle PGP-Mails.
The message isn't encrypted from the client to its server.
------------------------------------------------------------------------------
Walking on places where no man has gone before.
_ |_ _ _|_ _ _ _| E-Mail: rene.e...@itr.ch
(/_|_)(/_| | |(_|| (_| W3 fun: http://www.itr.ch/~reberhar/
------------------------------------------------------------------------------
Christopher W. Geib
You might try WinPGP 5 when it releases in July. It has a built in hook
to the MS Exchange mailer in Win95 and takes ascii armored encrypted
messages and sends them.
Chris Geib
Brad Johnson
Would it be possible to port PGP to Java code with descent speed. With
Java-PGP at least users that were unknowledgeable enough or unwilling
to take the time to install PGP on their computer would be _sending_
mail encrypted to the web authors without _any_ effort (the web author
could include their key in the web page somehow).
I think a port to Java would not be a trivial task (if possible/ not
already done) but well worth it. Since only one port would work on all
Java code browsers. Someone might start by creating a secure Java
pgp.class that could be used by Java authors to send secure replies
(not just e-mail) to their CGI and other return information.
Even only encrypting function mail would be very useful. Key
generation and decoding could be left to the 'real' PGP.
just a thought,
Brad Johnson
James Youngman
In article <4qqsr1$6...@news.unicomp.net>, j...@chrysalis.org says...
>
>Would it be possible to port PGP to Java code with descent speed. With
>Java-PGP at least users that were unknowledgeable enough or unwilling
>to take the time to install PGP on their computer would be _sending_
>mail encrypted to the web authors without _any_ effort (the web author
>could include their key in the web page somehow).
But surely the web servers could not export the code!
Robert B. Denny
<a href="http://www.portal.com/~hfinney/">Hal Finney</a> has
developed a PGP mail sender applet in Java. It let's you grab a key
from the keyservers and encrypt the message for a recipient. It isn't
PGP, as he says clearly, but it's a start and contains much of the
core. He does beautiful work, too.
-- Bob
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Charset: noconv
iQCVAwUBMdN7hqTIhC0UZJuNAQHtHgP/d50ZiKn7F+dmLZOvO8KNPpKFE5xU9bNG
ReG5tzvwV3mYB0l1xWRJIpBU2DveyhtHYd1oH93X7UeIu2oPtfOygmdIIcM4Tgbm
EIpLzBa/YgIVwhxgFTjStCf+Bb12/EsS/yMA3KKwxlfMj9K0YNJ6mHBFjy0VhINd
QejoqoV6C9g=
=Jsxv
-----END PGP SIGNATURE-----
Hal
In article <4qqsr1$6...@news.unicomp.net>, j...@chrysalis.org says...
>
>Would it be possible to port PGP to Java code with descent speed. With
>Java-PGP at least users that were unknowledgeable enough or unwilling
>to take the time to install PGP on their computer would be _sending_
>mail encrypted to the web authors without _any_ effort (the web author
>could include their key in the web page somehow).
I did something like this a few months ago. Take a look at <URL:
http://www.portal.com/~hfinney/java/java.html > and follow the links, if
you dare, to the pgp-compatible mailer applet. Please be aware of the
many legal restrictions surrounding the use of this code.
Hal Finney
hfi...@shell.portal.com