WebApp Sec mailing list archives

Re: Web based email signing and encryption

From: Rogan Dawes <discard () dawes za net>
Date: Thu, 20 May 2004 15:38:00 +0200

Hi,

You might want to take a look at HushMail.com for some ideas, and to seehow they have implemented their system. They are using OpenPGPcompatible messages, though, not S/MIME.

To do this effectively, you would need to have a client side applet thatimplements the S/MIME algorithms, and uploads the message in a formatthat the web server can relay to the recipient, without breaking theencryption and signatures.

I guess it is not really difficult to do, you just need to findimplementations of the S/MIME libraries that you can use. e.e.BouncyCastle.org crypto provider.

It could be an interesting project to integrate this with something likeIMP/Horde, or one of the other webmail apps. Effectively, you wouldhave to convert plain text to an encrypted attachment prior to sending,and reverse that on receipt.

As the HushMail.com site describes, the tricky thing is managing thecertificates. Hush manages them for you (but decrypts them locally),maybe an S/Mime implementation would read them from the local filesystem.


Also, be aware that Hush has (applied for) a patent in this area.

Rogan

sonali maniar wrote:


Most of the email signing and encryption products work on S/MIME based
clients like Outlook Express, Netscape Messenger etc. My  company is having
a web based access of  our  corporate mailing system  how can this be
secured?
Are there any products/tools/components available to enable web based e-mail
signing and encryption ie a mail composed a web browser can be sent
digitally signed and encrypted?Both the email contents and attachments need
to be signed and encrypted.



Sonali Maniar,CISA
Associate Consultant
SafeScrypt Ltd
3rd Floor, Enterprise Centre
Off Nehru Road, Vile Parle East
Mumbai 400099
Tel : +91-22-5677-2473
Mobile : +91-9820410775
Fax : +91-22-2617-7662

SafeScrypt - The Confidence To Do More!


--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

Web based email signing and encryption sonali maniar (May 20)
- Re: Web based email signing and encryption Syahrul Sazli Shaharir (May 20)
- Re: Web based email signing and encryption Rogan Dawes (May 20)