numbers for people.

Easy browser encryption for everyone

Everyone deserves access to encryption, so I threw together a quick tool that provides crypto for everyone. It encodes and decodes messages in the browser (nothing is ever passed back to my server) with standard AES encryption — all you have to do is come up with a suitable passphrase and transmit it over the phone.

Passphrases are the easier-to-remember siblings of passwords, and they’re much easier to say over the phone “James doesn’t like to eat vegetables, for some reason” is a perfectly decent passphrase. To make this easier to use, I strip out everything but the letters and I convert to lowercase — so it doesn’t matter if you include the comma, or capitalize any of the words. The key is that you’ll need to transmit the passphrase over the phone (or at least in a different medium than you send the encoded message) for the message to be secure, and I’m willing to sacrifice a few bits of entropy for ease of use.

Choosing a passphrase is easy, because just about anything will do fine. “Correct horse battery staple” is fine, so is “we got our cat, mittens, from the shelter in shelbyville.” Passwords are rarely ever guessed by hand (despite what you might see in movies), rather a computer would be programmed to try every combination of words. So if there are 100,000 words you might use (include proper nouns and that skyrockets), and you use 6 of them, the computer would have to guess 100,0006 = 1,000,000,000,000,000,000,000,000,000,000 combinations to break the code. That’s a mindboggling number, even for a computer.

Is this secure? Yes. If you’re using a passphrase with 5 or more words, you can consider your message to be secure. If the alternative is sending plain-text messages, you’re doing about a gazillion times better off using Crypto for everyone. If you’re happily using GnuPG, this is theoretically less secure, since you have no idea who I am, and the code hasn’t been reviewed — only tested.

Crypto for everyone (feedback is much appreciated)

Some other one-offs I found in this vein were: Privnote, which does self-destructing one-time messages, and NoPlainText does the same but encrypts it on the server. Naturally, the inspiration came largely from XKCD.

Comments are closed.