This is cool! One suggestion: I currently can't bookmark a URL that just contains my email with public key in the querystring, because the app complains that some parameters are missing. So for example https://diafygi.github.io/emailpk/?from=<myusername+publicke... will fail. If this worked, and automatically told the app the "from" address, that would make it easier to just hit a saved link or bookmark containing that info so I could get right down to business.
Other than that, a bit of polish and this would be fantastic. One problem might be running into the maximum URL length allowed by browsers (2083, limited by IE, if I am correct), if you store the ciphertext on the URL, but I don't see another way to get around that short of a very clever HTML email that performs a form post... which may be possible, not sure.
Thanks! Pre-filling the form is a good suggestion. Want to do a pull request?
Also, I try keep the encrypted payload size minimized, but yes, URL limits can be a problem (as well as line breaks that email clients sometimes insert). You can always copy and paste the link into the Read Existing text area, though.
It sort-of does work with people's existing email (since the public key is just added as an email alias). If you didn't have the public key in the email, you'd have to have central repo for public keys, which is what this technique is trying to prevent.
Also, this is an unhosted application, so you can just right click and save-as. It still works hosted on your local filesystem (which isn't subject to NSLs).
Indeed. Unfortunately, that's fundamentally the way public-key crypto works. If you do try to send a message to an email with no public key, it will prompt you to send an invite instead.
Gmail[1], Outlook[2], and Yahoo[3] supposedly support aliases, and everyone who uses Google Apps for their email also support aliases. I've only verified with my Gmail, so can anyone else confirm Outlook and Yahoo?
"NOTE: THIS IS A PROOF OF CONCEPT. DO NOT USE FOR REAL SECRETS"
Other than being a proof of concept, what is the real problem on using this for "real secrets?" Are there plans to take it our of proof of concept to something usable then? I see your myLock carries the same disclaimer, what is the point then?
I don't really expect these projects to get used widely. They serve more as inspiration to show that client-side encryption doesn't have to be cumbersome for the casual user.
It would be great if webapp developers started baking client-side encryption into their apps.
This is a great idea, I hadn't thought of embedding ECC keys in the address itself. That makes them very easy to share, and backwards-compatible. I think this has great potential, especially as a mail client plugin, since it's so easy to use.
The only problem I'm having is that it's requesting my passphrase even though I paste my full email address (with my key embedded). I assume it's for signing?
It would be very nice if it could let me choose to send it unsigned.
Oh, it's not so much throwaway encryption as much as it is "I don't trust this webpage and don't want to enter my key in it". However, I'll have a look at the code for my own peace of mind.
EmailPK looks great, great job! I love it.
EDIT: By the way, I assume you're aware of the fact that your name is Greek for "escape"?
Not exactly, it's closer to "escaping" or "eluding" in modern Greek, but it comes from dia (through) + fygi (flight), so maybe it meant "slips through the cracks" in ancient Greek. I think it meant "escape" back then too, though.
How can I generate a private key, though? (EDIT: Never mind, you just type a passphrase when you send an email. You can send me messages at hi+3mrw9gpkAN1Uc5ZUFxdNtxQhUiEvsWE1GveBkzNKYvqF@stavros.io)
I can see this having problems with revocation and password changes, unfortunately. Namely, if your passphrase is compromised, you're screwed.
After encrypting, the text area shows the encrypted message ("This message is encrypted..."). So you can always manually copy that and paste it into your own mail client :)
Other than that, a bit of polish and this would be fantastic. One problem might be running into the maximum URL length allowed by browsers (2083, limited by IE, if I am correct), if you store the ciphertext on the URL, but I don't see another way to get around that short of a very clever HTML email that performs a form post... which may be possible, not sure.