In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support. ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.
Currently, ProtonMail uses RSA keys, but this addition of ECC support to their web encryption library may mean that they are about to start switching users to ECC keys. Because using "larger" (when compared with equivalent theoretical strength RSA keys, for example) ECC keys is less resource intensive than using higher security keys in some other forms of cryptosystems (like RSA) it may also be an indication that ProtonMail is preparing to upgrade users to higher security/stronger keys.
Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
>Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
> Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.
That's not a problem of NIST recommendations. There aren't any post-quantum secure elliptic curve public-key systems. The fundamental computational problem used by ECC public-key cryptography isn't post-quantum secure, so it's not really a matter of curve choice.
The problem with NIST curves (vs ed25519) is the choice of parameters (it is not clear why they have such and such values) and the implementation edge cases. You already know it but maybe someone else will find it interesting: https://safecurves.cr.yp.to/
The comment about post quantum crypto did not relate to ECC directly. I just would like to see some PQ crypto in OpenPGP :)
> In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support.
Wow...I'm sort of shocked that wasn't a v1.0 consideration.
> ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.
In particular, elliptic curves have smaller parameters, which allow for smaller keys at the same bit security level. For example, to achieve 128-bit security, an RSA/DLP modulus must be 3072 bits. Elliptic curves achieve the same security level with only 256-bit parameters. They are also faster for most operations, but RSA is still technically faster for signature verification.
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
True, but elliptic curve cryptography is just as vulnerable to quantum computers, however long off that problem may be.
> Wow...I'm sort of shocked that wasn't a v1.0 consideration.
Given that you need to pass --expert to gpg 2.1 as of right now to even generate an ECC keypair for PGP use (nor use one on an OpenPGP smartcard or yubikey), I can sort of forgive the lack of ECC in 1.0. I don't think it sees wide usage for PGP keys (some clients don't support it, also).
However, as of the last time I tried Protonmail (about 10 minutes ago to check this is all still true) you can't: revoke/reissue your PGP key, validate outside signatures (either on encrypted messages or signed, plaintext messages) or send pure-PGP mail to users outside of protonmail (there's an encrypt for non-protonmail users option, that sends a link instead). Essentially as another commenter has said, you can't really do PGP with ProtonMail.
I don't use ProtoMail but it sounds like they are "managing" users' private keys!? Am I understanding this correctly? ProtonMail has access to their users' private keys? And they are using web-based encryption, delivered via JavaScript?
Yes and no. To simplify matters, you need not just a quantum computer but such a machine with the right sort of qubits. The right sort of qubits being logical qubits, not physical, many of which are needed for error correction.
It's not clear whether we can currently create a machine with sufficient logical qubits to run Shor's algorithm in a meaningful way.
However, out of an abundance of caution, we're "starting" now (some designs have existed for longer but this (NIST PQC) is the first competition, which focuses minds) so as to have something ready when/if a quantum computer becomes a reality.
A DARPA researcher explained to me that a quantum computer's qbits would have to be 99.9999999999% error-free (that's 12 nines) in order to perform the necessary steps of Shor's quantum factorization algorithm. Current state of the art qbits are 99.9-99.99% error-free. Basically, we have a long way to go.
What is the threat model for PGP in JS? Like, is there an Alice, Bob, Carol, Eve story under which PGP in JS makes sense?
The canonical example that IMO doesn't make sense is when Alice and Bob want to communicate privately using Eve as an webmail provider who wants to snoop in on the communications. Alice and Bob can't just trust Eve to provide a copy of OpenPGPjs in a <script> tag on EveMail.com, because then they're trusting Eve to provide a legitimate PGP implementation, trusting Eve not to log their keystrokes in JS, etc.
I can understand OpenPGPjs as a server-side library in Node (though I suspect it would be safer to run a battle-hardened library like GPG with node FFI).
But, in client-side web code, how could this ever make sense?
One user story is that Alice uses Eve's webmail, and Bob uses PGP and mutt on his laptop. Before Eve's webmail supported PGP in JS, Bob had to send his emails to Alice unencrypted (and unsigned), which meant his mail provider could read the plaintext (even if he trusted that mail provider to always require a TLS connection when sending to Eve's servers).
From Alice's point of view, she is just using webmail as she always has, except now she has the assurance that no one (other than Eve) can spoof Bob's identity, and that Bob's mail server isn't reading the messages she sends him (unless Eve is deliberately leaking the plaintext somehow despite sending Bob the encrypted version).
Long term it would be nice if the W3C's SRI standard was extended to allow offline signing of JavaScript files:
> [Alice knows] no one (other than Eve) can spoof Bob's identity
If Carol or Chuck can spoof Eves "identity" they can spoof Bobs identity. This can be done in a multitude of technical or social ways.
Is it better to have this than nothing? The problem is that you have to trust your whole infrastructure if you want to do this kind of client side encrypting.
If your threat model says that Eve's webmail servers can be spoofed, then Alice can't use webmail at all, or possibly any websites. At that point, the security of PGP in JS is pretty much irrelevant.
I think that is one of the most obvious things that can happen, but no it only affects JS PGP that is integrated on a site you use. PGP in JS is still relevant because it makes it easier to download, verify and execute Javascript "anywhere", not as an integrated solution served by a third party. Sadly.
I've been looking for gmail alternatives and this is my conclusion. Protonmail plays the part of the secure and private email provider, but, technologically, can't provide that. The only concrete thing their users have going is the superior legal environment of Switzerland. A less-than-concrete comforter is that if we believe that the people behind Protonmail believe in privacy, we'll tend to think they're more likely to try to protect ours if push comes to shove. This makes me look for alternatives.
Subresource integrity means you could trust Eve in some cases. Also if Eve provides a script tag from a trusted CDN it could work. You would have to check it every time though.
What might help is a browser extension that tracks changes and allows you to “lock” into a version of a website.
Technically Sri only reduces the amount of trusted data you need to keep around; you'd need an index.html that loads gpg.js and a js client that talks to a server (eg: jmap or a bespoke jsonapi that allows getting/sending mail).
This is pretty much what browser extensions do; bottle up some hypertext resources, signed and versioned.
You still have three obvious threats: local superuser can read application memory etc; your local user can read your memory and any browser compromise/bug can likely read your browser/session data.
The real question is if the browser sandbox is ever likely to be good enough that you don't have to worry about a font file from a compromised website about kittens reading your email in another tab.
The project looks really cool! But...the fact that the website has a certificate error doesn't inspire much confidence. Especially since it's a security tool. :(
I got a certificate error as well. This site hasn't had its certification for 132 days. I thought the whole link was a super meta joke/test. It does look cool though. Thanks for posting.
They are probably using it underneath. Webcrypto by itself is just a set of primitives, you need a higher level abstractions to do anything useful in real world.
I don't get it. Protonmail still doesn't support PGP, yet they're working on open source libraries for other people to implement PGP? I don't understand these priorities.
For internal use we had all RSA keys so it was fine. For external use we have to support what everyone uses, and there is a variety as you know. Saying "hey, you can use PGP but all your friends have to have RSA keys" is not a recipe for a good user experience.
This is great to hear! If/when protonmail transitions to be mail host that support open standards in a wider sense, I'd more seriously consider becoming a customer :-)
Fwiw, while I'm not that interested in the current project - I actually think it's great to build a walled garden on open standards - especially for secure services. Makes it easier to evaluate, and opens the door fore secure interop in the future.
Currently, ProtonMail uses RSA keys, but this addition of ECC support to their web encryption library may mean that they are about to start switching users to ECC keys. Because using "larger" (when compared with equivalent theoretical strength RSA keys, for example) ECC keys is less resource intensive than using higher security keys in some other forms of cryptosystems (like RSA) it may also be an indication that ProtonMail is preparing to upgrade users to higher security/stronger keys.
Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.