[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Encrypted Web Pages?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Encrypted Web Pages?
From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Mon, 17 Dec 2007 10:26:22 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 17 Dec 2007 10:32:32 -0500
In-reply-to: <204193.84523.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <204193.84523.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

I have what may perhaps seem like a strange question.Is there any commonly used software for encrypting anddecrypting web pages?


Yes, SSL .. and it's been around for quite a while.

Let me explain that a little better:  imagine a web
site which has content destined for specific
individuals.  For each individual there is separate
content on separate pages, and no one but the
individual for whom the content is destined should be
able to read the content, not even the creator of the
content!

Why not just SSL the site, and then restrict access to it usingcertificates (still X.509, but separate from the one used for transportsecurity)

In other words, is there a private/public key
mechanism similar to PGP (or even a PGP web page
plugin) that will work transparently while browsing
the web?  The transparently part would mean that a
user can provide a private key to a browser and any
pages encrypted with the user's public key would
automatically be decrypted for him when he views them.

Again, this can be easily provided by issuing X.509 certificates to theend-users and then requiring those certificates to authenticate to thewebserver. Transport security (as it pertains to TOR, etc.) is providedby a separate X.509 certificate who's purpose is to sign the encryptedchannel over which the data is transfered. You would manage the X.509certificates assigned to your users by yourself, so you could handlerevolkations (although Verisign, et.al. will happily sell you acommercial X.509 solution for client auth).

If you had a scenario where you needed to deploy a webserver in "hostileterritory" and needed to ensure the security of the data thereon, youcould conceivably gzip and GPG each .html page and associated items withmultiple public keys based on some other criteria (like what cert thebrowser provided) and then let the end-user decrypt it with theirprivate .. but this definitely won't be "automatic" .. but you couldwrap it in Java to make it somewhat portable if you wanted. You couldalso write an ActiveX or XPI plug-in to incorporate it into the browser.. but then you're putting a lot of "trust" in a 3rd party with your GPGkeys.


~Mike.

Follow-Ups:
- Re: Encrypted Web Pages?
  - From: Martin Fick

References:
- Encrypted Web Pages?
  - From: Martin Fick

Prev by Author: Re: Best Hardware for TOR server..
Next by Author: Re: Encrypted Web Pages?
Previous by thread: Re: Encrypted Web Pages?
Next by thread: Re: Encrypted Web Pages?
Index(es):
- Author
- Thread