symmetric OpenPGP vs recent Iceweasel
Originally created by Tails on #5299 (Redmine)
{{toc}}
Rationale
A great bunch of Tails users currently use symmetric OpenPGP encryption in Iceweasel, thanks to FireGPG. We want to support this usecase on the long run.
Also, we’ve been wanting to ship Iceweasel 5.x as soon as possible, but FireGPG is discontinued upstream is known not to work with FF4+ "because of the missing IPC library", and generally is a security mess.
We need to find a way to support symmetric OpenPGP encryption in Tails.
Work in progress
The Seahorse applet already knows how to decrypt symmetrically encrypted text. But it does not support symmetric encryption, seems dead upstream, was never released for GNOME3 and therefore is not part of Debian testing.
Therefore, we have written another OpenPGP panel applet; the
bugfix/remove_firegpg
branch does not run the Seahorse applet anymore.
It does not install FireGPG either. Our own panel applet features:
- symmetrically encrypt clipboard content
- decrypt clipboard content (regardless of the kind of OpenPGP encryption)
- status icon and action menu change depending on the content of the clipboard(s), the same way as the Seahorse applet does
Missing features wrt. the Seahorse + FireGPG combo, we can live with:
- asymmetric (i.e. public key) encryption
- import key (covered by other parts of the Seahorse UI, though)
- symmetric encryption of files
Also, we prepared a "fake" FireGPG plugin that explains why it’s not here anymore and points to the alternative.
done in Tails 0.10.
Long term
On the long run, we hope Seahorse gets support for symmetric encryption, and seahorse-plugins to be relived upstream. See details below.
Archive: implementation ideas
Port FireGPG to recent Firefox/Iceweasel releases
Dismissed: the webbrowser is too much of a scary place to run GnuPG operations in.
As of June 2011, the most active FireGPG fork is darkpixel’s one. It recently merged bit’s branch in, that adds support for Firefox 4. It’s build system depends on:
-
ipccode: see
ipc/get.sh
in darkpixel’s repository - a local clone of the mozilla source code (canonical repository, releases.
Mike Cardwell’s easy installation recipe works, but it uses a binary IPC extension shipped in the Git repository.
We therefore need to build the IPC extension against the Iceweasel 5
source code and test the result. Note that a "simple" clone of the
Mercurial mozilla-release repository seems not enough as it lacks the
obj-ff-release
directory. Is this directory generated when compiling
Firefox itself?
The Html Validator compilation
instructions have
stuff related to the mysterious obj-ff-release
.
Find another user-interface that provides the missing feature
This could be a nice middle-term workaround.
Local GUI
Writing a simplistic GUI able to symmetrically encrypt/decrypt text should be quite quick.
Hints:
- May be needed to show all of GPG’s output to the user: one can be burnt by GPG-wrapper GUIs misleading about what GPG thinks.
- A message may be signed and encrypted using
gpg --symmetric --sign
Local webapp
- Herbert Hanewinkel’s OpenPGP Message Encryption in JavaScript:
- homepage
- only supports encryption
- gooxdoo JavaScript classes for OpenPGP encryption
- homepage
- only supports encryption
Add symmetric encryption support to GNOME
The Seahorse applet already knows how to decrypt symmetrically encrypted text. So the missing bit is symmetric encryption.
This would be the perfect long-term solution, but we probably lack the time and energy needed to implement it.
We asked the Seahorse authors to include this feature a while ago:
seahorse-plugins vs. GNOME3
Another problem is that seahorse-plugins (which the panel applet is part of) is not very well maintained upstream.
Stef Walters wants to get the Nautilus plugin ready for GNOME 3.4, we’ve asked about their plans for the panel applet.