The server in the middle problem and possible solutions
One of the big security issues on the web is that it only provides
server to client security (usually via SSL). As far as I know, the web
crypto API does not provide a end to end security because it relies on
Having been a developer of Konqueror web browser I explored the idea
of going further  , and did my final career project on this
subject, implementing a KHTML patch that basically extends the div
element and input type=text element by adding two attributes,
encryption=”gpg” and encryption-key=”<keyid>”, so that a div
containing a gpg ascii encoded encrypted text is automatically
decrypted showing the plaintext, and when a form with an encrypted
input type=”text” element is sent, the data is automatically
The solution I developed is *just a proof of concept and by no means a
final proposition*. But the key point is twofold:
* The security it provides is website-independent, you only need to
CSS or any other tactics to access to the contents of the plaintext.
* It’s easy to implement as an HTML extension that could be standardized..
SSL was the first step for securing the web. End to end encryption is
the next, and it will allow cloud applications like web chats, web
mails, and even office apps in the cloud with privacy being orthogonal
to the servers used. When you chat using gmail with your peers using
HTTPS, there’s someone else listening: it’s Google. It’s the server
that is in the middle by design.
When you chat using gmail with your peers using HTTPS, there’s someone
else listening: it’s Google. It’s the server that is in the middle by
design. When a Los Angeles employee sends an email to another peer
using Gmail, it ain’t Google’s business. Perhaps if an end-to-end
encryption scheme as proposed was available as a standard, Google
would offer it in Gmail for businesses and for geeks like us ;-) , and
certainly other service providers would.
What I proposed is just a proof of concept. We could perhaps encrypt
whole forms in a similar manner, or use a secure sandbox inside which
plaintext data can be freely manipulated, but whose details are well
known to the browser, are being recorded and the user can see in a
details dialog, similar to the details of HTTPS connections in current
web browsers, and the data going out from the sandbox is encrypted in
a controlled and secure way.