[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Encrypted Web Pages?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Encrypted Web Pages?
From: Martin Fick <mogulguy@xxxxxxxxx>
Date: Mon, 17 Dec 2007 11:24:15 -0800 (PST)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 17 Dec 2007 14:24:23 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=ug79VVRNgD8/3t0HworNXK/Pm5G2WHjagsz2ehivElT3Lv3lOU16f7bDvTkvVw1sdYUFTVDVRbuxWpCoemCquVWX1gj8AM0esbShecM+O0+VXrCR1BfrDhQI7B95eCW02qGTyvELHuyl+551LSbNVWbwxN+iuwgXSEC2+bXhzNo=;
In-reply-to: <20071217174909.GI603@xxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

--- "Jonathan D. Proulx" <jon@xxxxxxxxxxxxx> wrote:

> On Mon, Dec 17, 2007 at 09:25:13AM -0800, Martin
> Fick wrote:
> 
> :> It's an interesting threat model though :)
> :
> :Yes, but it really is a fairly simple one.
> :I am surprised that HTML does not seem
> :to have some extension to deal with this
> :already.  It is not much different from 
> :encrypted email concepts, just that the 
> :browser needs the ability to do the
> :decrypting instead of your mail program.  
> :The simplest fallback may be to simply 
> :open the web page with the user's mailer 
> :(if their mailer supports that,)
> 
> 
> The major difference is that email was designed
> personal correspondence, and evolved along 
> those one to one lines. 

Sure.

> HTTP is a publishing mechanisim in which you 
> usually want people to see it, or restrict 
> viewing to a group and is thus centered
> around one to many (or in "web2.0" land 
> many to many) communication lines.

Yes, but I really am just talking about a 
more secure version of the one to many 
scenario where you don't trust the server!
The many, of course, can always be one.

> So I can understand why there isn't a ready made
> solution, using HTTP for secure one to one 
> communication on an untrusted server just isn't
> something that's done, and secure one to many is
> done by owning and securing the server.

Ignore the "one to one" aspect and I think 
that you may still be right.  But trusting 
the server still leads to a less secure 
method of 'one to many' and my suggested 
"HTML features" would be helpful there too!

> This isn't to reflect on you're 
> application except to say it's 
> uncommon.

Maybe not so uncommon, just that most
people readily accept that the server 
should "know all" or they give up.  

I think that there are many 
opportunities which are lost because
some people will not outsource their
hosting because they will not accept that 
"the server should know all" and because
they do not have the resources to host
things themselves.  The simplest and 
most obvious one is encrypted webmail
using regular webmail sites.

A solution to this problem could open up 
many new doors, and many of those doors 
I suspect would be very welcomed/needed 
in tor land, not just for my application,

-Martin

      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Follow-Ups:
- Re: Encrypted Web Pages?
  - From: F. Fox

References:
- Re: Encrypted Web Pages?
  - From: Jonathan D. Proulx

Prev by Author: Re: Encrypted Web Pages?
Next by Author: Re: Encrypted Web Pages?
Previous by thread: Re: Encrypted Web Pages?
Next by thread: Re: Encrypted Web Pages?
Index(es):
- Author
- Thread