SlideShare a Scribd company logo

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js

Dane Schneider
Dane Schneider

The document discusses end-to-end encryption in web browsers using OpenPGP.js. It outlines the strengths and pitfalls of encryption in browsers, and how to mitigate risks like side channels and third party JavaScript. The document recommends using proven encryption standards like OpenPGP instead of rolling your own, and provides an overview of how Public-key cryptography works with PGP including encryption, decryption, signing and verification of messages. It promotes the Envkey service for encrypted key storage and configuration and seeks beta testers and React developers.

Technology
1 of 16
Download to read offline
Zero Knowledge End-to-end encryption in the browser with OpenPGP.js dane@envkey.com @danenania
What’s encryption?
What’s end-to-end encryption?
Why use end-to-end encryption? • Respect user privacy • Prevent malicious exposure • Prevent accidental exposure • Avoid legal demands
Why not use end-to-end encryption? • More difficult to code • Server can’t do much with encrypted data
Why I use end-to-end encryption • Envkey - encrypted vault for api keys and configuration • https://www.envkey.com
End-to-end encryption in the browser BROWSER STRENGTHS • Great for users • Great for developers • Single platform, simple codebase, web languages • Ubiquitous, no install, any device
End-to-end encryption in the browser BROWSER PITFALLS • Browser can be a dangerous environment for crypto • Host compromise = game over • Side channels • xss, 3rd party js, extensions
End-to-end encryption in the browser MITIGATING PITFALLS • Content security policy (CSP) • Static files / CDN / API • Precompile 3rd party js dependencies • Browser extensions / native apps
First rule of encryption logic • Don’t implement your own encryption logic! • Don’t touch primitives—use high level interfaces • Use old, boring, proven standards and libraries
PGP, OpenPGP, OpenPGP.js • PGP = Pretty Good Privacy — Phil Zimmerman 1991 • OpenPGP = opensource, standardized, no patents • OpenPGP.js = js implementation of OpenPGP standard
PGP protocol • Private key passphrase
PGP encryption / decryption
PGP signing / verification • Encryption = privacy • Signing = authenticity
Building PGP into your app • Balance ux and security • User auth and key generation • Key management • Key storage and retrieval • Trusting public keys
Thank you! • dane@envkey.com • @danenania • https://www.envkey.com • Looking for: • Envkey beta testers, React/Redux dev

Recommended

Issa healthcare panel
Issa healthcare panelIssa healthcare panel
Issa healthcare panelISSA LA
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLRichard Fussenegger
 
SecurityRI Wifi Security / Secure your Network
SecurityRI Wifi Security / Secure your Network SecurityRI Wifi Security / Secure your Network
SecurityRI Wifi Security / Secure your Network Gian Gentile
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
MAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonMAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonJames Littlejohn
 
VenkaSure Total Security+
VenkaSure Total Security+VenkaSure Total Security+
VenkaSure Total Security+Venkasys Technologies Pvt. Ltd.
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerHeadLightSecurity
 

Recommended

Issa healthcare panel
Issa healthcare panelIssa healthcare panel
Issa healthcare panelISSA LA
 
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLBarcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSL
Barcamp Salzburg Oktober 2013: (Perfect) Forward Secrecy with nginx and OpenSSLRichard Fussenegger
 
SecurityRI Wifi Security / Secure your Network
SecurityRI Wifi Security / Secure your Network SecurityRI Wifi Security / Secure your Network
SecurityRI Wifi Security / Secure your Network Gian Gentile
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
MAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonMAIDSAFE Installer DEMO Project SAFE London
MAIDSAFE Installer DEMO Project SAFE LondonJames Littlejohn
 
VenkaSure Total Security+
VenkaSure Total Security+VenkaSure Total Security+
VenkaSure Total Security+Venkasys Technologies Pvt. Ltd.
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerHeadLightSecurity
 
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Wan Leung Wong
 
Node on Guard
Node on GuardNode on Guard
Node on GuardIBM
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure mannerKevin Bryant
 
Timisoara Wireless Survey
Timisoara Wireless SurveyTimisoara Wireless Survey
Timisoara Wireless SurveyCristian Vat
 
Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€Stylight
 
IoT security
IoT securityIoT security
IoT securityAbhishek Dwivedi
 
Php hopping
Php hoppingPhp hopping
Php hoppingNabin kc
 
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!Jun Iio
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Home Automation
Home AutomationHome Automation
Home AutomationCássio Landim
 
Canberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android DiyarındaCanberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android DiyarındaCypSec - Siber Güvenlik Konferansı
 
INSECURITYBLANKET
INSECURITYBLANKETINSECURITYBLANKET
INSECURITYBLANKETRobert Isaiah
 
20201221 wifi
20201221 wifi20201221 wifi
20201221 wifisonhyungsoo
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsAlexandru Radovici
 
Wifislax
WifislaxWifislax
WifislaxGeri waxel
 
CTO Cybersecurity Forum 2013 Atefor Tsefor Conrad
CTO Cybersecurity Forum 2013 Atefor Tsefor ConradCTO Cybersecurity Forum 2013 Atefor Tsefor Conrad
CTO Cybersecurity Forum 2013 Atefor Tsefor ConradCommonwealth Telecommunications Organisation
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Digital self defense
Digital self defenseDigital self defense
Digital self defenseHenrik Jacobsen
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsMichele Chubirka
 
Wireless v2
Wireless v2Wireless v2
Wireless v2Joshua Johnston
 
Android secure coding
Android secure codingAndroid secure coding
Android secure codingBlueinfy Solutions
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and SecurityAlex Hyer
 

More Related Content

What's hot

Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Wan Leung Wong
 
Node on Guard
Node on GuardNode on Guard
Node on GuardIBM
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure mannerKevin Bryant
 
Timisoara Wireless Survey
Timisoara Wireless SurveyTimisoara Wireless Survey
Timisoara Wireless SurveyCristian Vat
 
Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€Stylight
 
Php hopping
Php hoppingPhp hopping
Php hoppingNabin kc
 
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!Jun Iio
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsAlexandru Radovici
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsMichele Chubirka
 

What's hot (20)

Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
Security Solution - Luckey Application on Crypto-currency and Personal Bankin...
 
Node on Guard
Node on GuardNode on Guard
Node on Guard
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure manner
 
Timisoara Wireless Survey
Timisoara Wireless SurveyTimisoara Wireless Survey
Timisoara Wireless Survey
 
Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€Getting started on IoT with AWS and NodeMCU for less than 5€
Getting started on IoT with AWS and NodeMCU for less than 5€
 
IoT security
IoT securityIoT security
IoT security
 
Php hopping
Php hoppingPhp hopping
Php hopping
 
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
A Story on Sinatra's F*cking Configuration that Really, Really Bothered Me!
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Home Automation
Home AutomationHome Automation
Home Automation
 
Canberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android DiyarındaCanberk Bolat - Alice Android Diyarında
Canberk Bolat - Alice Android Diyarında
 
INSECURITYBLANKET
INSECURITYBLANKETINSECURITYBLANKET
INSECURITYBLANKET
 
20201221 wifi
20201221 wifi20201221 wifi
20201221 wifi
 
Lecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of ThingsLecture 3 - Software for the Internet of Things
Lecture 3 - Software for the Internet of Things
 
Wifislax
WifislaxWifislax
Wifislax
 
CTO Cybersecurity Forum 2013 Atefor Tsefor Conrad
CTO Cybersecurity Forum 2013 Atefor Tsefor ConradCTO Cybersecurity Forum 2013 Atefor Tsefor Conrad
CTO Cybersecurity Forum 2013 Atefor Tsefor Conrad
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Digital self defense
Digital self defenseDigital self defense
Digital self defense
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source Options
 
Wireless v2
Wireless v2Wireless v2
Wireless v2
 

Similar to Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js

Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and SecurityAlex Hyer
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementNuno Loureiro
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Sierraware browser isolation
Sierraware browser isolationSierraware browser isolation
Sierraware browser isolationSierraware
 
7 reasons why video conferencing world will never
7 reasons why video conferencing world will never7 reasons why video conferencing world will never
7 reasons why video conferencing world will neverTrueConf
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
Thin Clients for InduSoft Web Studio
Thin Clients for InduSoft Web StudioThin Clients for InduSoft Web Studio
Thin Clients for InduSoft Web StudioAVEVA
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...JosephTesta9
 

Similar to Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js (20)

Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
Online Privacy and Security
Online Privacy and SecurityOnline Privacy and Security
Online Privacy and Security
 
Living With Passwords: Personal Password Management
Living With Passwords: Personal Password ManagementLiving With Passwords: Personal Password Management
Living With Passwords: Personal Password Management
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Sierraware browser isolation
Sierraware browser isolationSierraware browser isolation
Sierraware browser isolation
 
7 reasons why video conferencing world will never
7 reasons why video conferencing world will never7 reasons why video conferencing world will never
7 reasons why video conferencing world will never
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
Attacking VPN's
Attacking VPN'sAttacking VPN's
Attacking VPN's
 
Thin Clients for InduSoft Web Studio
Thin Clients for InduSoft Web StudioThin Clients for InduSoft Web Studio
Thin Clients for InduSoft Web Studio
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js

  • 1. Zero Knowledge End-to-end encryption in the browser with OpenPGP.js dane@envkey.com @danenania
  • 4. Why use end-to-end encryption? • Respect user privacy • Prevent malicious exposure • Prevent accidental exposure • Avoid legal demands
  • 5. Why not use end-to-end encryption? • More difficult to code • Server can’t do much with encrypted data
  • 6. Why I use end-to-end encryption • Envkey - encrypted vault for api keys and configuration • https://www.envkey.com
  • 7. End-to-end encryption in the browser BROWSER STRENGTHS • Great for users • Great for developers • Single platform, simple codebase, web languages • Ubiquitous, no install, any device
  • 8. End-to-end encryption in the browser BROWSER PITFALLS • Browser can be a dangerous environment for crypto • Host compromise = game over • Side channels • xss, 3rd party js, extensions
  • 9. End-to-end encryption in the browser MITIGATING PITFALLS • Content security policy (CSP) • Static files / CDN / API • Precompile 3rd party js dependencies • Browser extensions / native apps
  • 10. First rule of encryption logic • Don’t implement your own encryption logic! • Don’t touch primitives—use high level interfaces • Use old, boring, proven standards and libraries
  • 11. PGP, OpenPGP, OpenPGP.js • PGP = Pretty Good Privacy — Phil Zimmerman 1991 • OpenPGP = opensource, standardized, no patents • OpenPGP.js = js implementation of OpenPGP standard
  • 12. PGP protocol • Private key passphrase
  • 13. PGP encryption / decryption
  • 14. PGP signing / verification • Encryption = privacy • Signing = authenticity
  • 15. Building PGP into your app • Balance ux and security • User auth and key generation • Key management • Key storage and retrieval • Trusting public keys
  • 16. Thank you! • dane@envkey.com • @danenania • https://www.envkey.com • Looking for: • Envkey beta testers, React/Redux dev