Hacker News new | past | comments | ask | show | jobs | submit login

OK enough is enough! In the light of this bill, post-thanksgiving time I will spend on cleaning up all my email boxes and would like your suggestions for a new email account that fulfills the following requirements:

- is located off shore, preferably some small country with less draconian laws that exists now and could be implemented in near future (15 years?), BUT stable enough so that my service can be reliable,

- content of my emails is automatically encrypted,

- and at this point, I am fine with paying for my email. The amount of work it lets me do, I am fine with paying up to $49/month, I think.

Thanks!




The best solution right now is probably to use a desktop app that encrypts e-mails locally with OpenPGP before sending them.

Can't someone make a Chrome extension that does the same for Gmail, though? There seem to be a few solutions for Firefox.


Hint: You are not the first person to notice that crypto can be done client-side in Javascript. There are very good and not-obvious reasons why this is not done.


Could you please elaborate, so that more people do not fall into this intellectual trap?


http://www.matasano.com/articles/javascript-cryptography/

Basically, the server you're talking to, as well as any resources on that page, can undermine your javascript primitives and render your crypto useless (or just backdoor it).

If you trust the server to not backdoor your crypto... you can just trust the server to _do_ the crypto in the first place.

There is an effort underway to build better crypto APIs into browsers, but I'll bet you a bitcoin that it's super easy to fuck up the implementation of and most end up being insecure, and/or nobody ends up using it after all.


I read that article as explaining why a web application can't do crypto with javascript. As someone that knows almost nothing about browser extensions, can you elaborate on why one isn't a good idea for chrome?


The sections "How are browsers hostile to cryptography?", "What systems programming functionality does Javascript lack?", "What else is the Javascript runtime lacking for crypto implementors" cover issues you would encounter with browser extension cryto.


I didn't realize extensions were largely javascript. Thanks for the pointers.


Ah yeah. I believe the usual terminology is such that "extensions" are javascript and "addons" are something native. You could probably do cryto well with an addon.. to the extent that it is possible to do an addon at all properly (honestly I have no idea there).


I think you could at least have it implemented in NaCl in Chrome, if the Javascript versions fail.


Presuming you're securing against gmail monitoring, Google in this case would be the eavesdropper/attacker.

Google controls the key/cert that allows for Chrome extension updating...


Hope you enjoy talking to yourself, because encrypted email only works if the receiving side participates. And realistically, almost nobody does.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: