Can I use PGP / GPG via JavaScript?

StackOverflow https://stackoverflow.com/questions/17733899

  •  03-06-2022
  •  | 
  •  

質問

I am thinking about a simple, bullet proof password management solution (compare KeePass or lastpass) - only based on HTML and Javascript plus the PGP client package.

I already found the WebPG Chrome Plugin which allows easy encryption and decryption inside websites - but is there also a way to communicate with this plugion via javascript (for example "Encrypt contents of div #foobar with public keys A and B") or are there other ways to integrate PGP into Javascript?

A Chrome-only or Firefox-only solution would also be okay, but it has to be cross-OS (Linux, Win, Mac)

役に立ちましたか?

解決

You didn't specify if this would be initiated from Javascript on the web page, or from a specific user action. I assume you are referring to Javascript that is running on the web page, so I will answer that question.

The short answer is no; web pages cannot currently initiate GnuPG context operations via Javascript with WebPG[1] (v0.9.4).

The long answer is no; not yet. Maybe not ever...

There has been some talk of providing such a mechanism to WebPG, however, there needs to be a lot of thought put into the specifics of this kind of API, as it introduces potential vulnerabilities into the operation of WebPG, depending on how it is implemented.

I am certainly willing to entertain/host such a conversation, but it begs the question: Is WebPG the right tool for the job?

The intended purpose of WebPG (at present) is merely to provide readily available tools for users to perform GnuPG/PGP Key Management and (user initiated) GnuPG context operations within the web browser. There is nothing that says WebPG can not (or should not) do more, but none of that "more" should jeopardize the stated purpose.

If the belief is that WebPG is the proper tool for the job, at minimum the following must occur -

  • A comprehensive analysis of the intended result
  • An outline of the specifics of how to reach that result
  • A comprehensive analysis of the potential security threats
  • Creation of a plan to implement those specifics in manner that mitigates the identified threats

Now, it is quite possible that WebPG is not the proper tool for the job; in which case I can only point you to other Javascript related libraries which implement OpenPGP or some variation thereof - but since I have little to no experiences with any of those, a web search would probably yield a more comprehensive list of available technologies and their specific capabilities.

Full disclosure - I am the author of WebPG, and however diligent I am at removing any bias, some bias may remain.

[1] WebPG - http://webpg.org

ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top