Foros GNU/Buanzo

[buanzo]

As usual, I woke up seconds after dying on my bed, and came up with the method to implement OpenPGP-Encrypted HTTP Requests. The idea is quite simple.

Server side, from within a virtual host you create a location called, for example, "/crypthandler". Then you assign a special mod_auth_openpgp handler to it.

Client side, when Enigform is asked to encrypt, or sign+encrypt a request, it first signs it so the X-OpenPGP headers get added. Then, the encryption process encapsulates the whole request's headers and body, and encrypts it. Afterwards, this is what gets sent to the server (all this might get improved, this is just the bare-bones idea, no mime-type, no nothing here):

Código: Seleccionar todo

POST /crypthandler HTTP/1.1
Host: www.sitename.com

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (GNU/Linux)

hQQOAwwvPEIDva+uEA//UzA6rdiL6ZVI/pj+DDFflTItV6zs00yQldNuwCtEHmQH
3nZJ8C64aSugT9fa2BS83A5rHGbF2t5Dujzts2WO0pHCYx0GP/YIA8f10azxmLk2
6VlbOZqBvsZWvmAaWyEA5TmXGnbZcTr7h4/mLdesQv1e3gHvDRNJFTaKWZY2Iw7r
jgyoziqGgXCu/qHvQluxJY77gY++xgwqct9rQ3SoPi7CNQtzWztDlUrKGPTnT6Tn
ttS93UMRSvsDOTN/nseF2CCuXD4PBAyQgL2xcAZ7bruDQgOnVNrgZKGiGCl4LQLC
VbiCgVAJLc7uzlr9K1LzvpBj3LBlq5mL7JG3JE9bWYwmeGPzFBGE17mTnqxtj41l
yHqf7pH4iN3w2K/cfug3M1EYp6siOgvhdXukjotmWpyW6efGPzXtfRinQMjTWm31
Lc+kZEAEgzBW0S2yxnN71GT84M3N55PB2NomOMbCfcmkvD99wFM0RAMp5gLilGL5
vbGbvE3chTI8tZYl4+2ggSMerOrtH7EGERiPtwyekkueNbnkmVQLuU/wzeCOCCib
vRK1r0+mE/PLG9vMjk5UM/TeEDHw86BaZ1t6p6db1r9FIq5jUGuAWf1LIYwBUxR7
qktX8FwJMaG+q2se1eYO7Mph63gbdcC8ACZPSmgTHPNfDwsB3CoN4dtuEmNTYdEP
/1qnJ8oDkX4+2zzdD07KCIOOrXlHSUws1pn7rU6zKwFyUH9FYdhMiTGVyHkmNuB0
zKuPlxsBhFQTQKN8uXvnFm77iw2ganDFQhHD3dfrt124vv1rFwOQwxi0FKaLf97B
9xXv6w08wLh14dq2W3ITWDypPwOnU+AaUp5gmSGDTcVayCCmyyvyEBQPJlwK7ef8
jAAoqTdLxdLb/CWhRkD/owqYRLuzlXoMZwSoy9jVd2ic2nrSmxMV9kuF6fF4WzWM
0dw9yAFFhg7a34Y8/xkw7IRS3g/Nw/5uh7pcPqpg4ozHny+sYt66poctAfrhzY8v
LTs8khjLBvOwj6IR4rvqG2aqqZsbbGLATdg1LC33W0V5jxBjM8viiohClxvFZQo1
nEx671VzJ43yRv6Sl7YnmVNoA50EnioQnzqcNsBSFLgfRLBCOuAliwRDMKsiTVI4
wX0U6WUGe6MtWs6fv6dJFaKFJda7b48ZC9pq+kinyUOU/K+vjt7GKnWqgIG4QFCW
/9clU0zdEGR9L2wzIml9I4UiDkfVwNhXM49/R0duiElYW70dx5w/0ljeg59gxmV5
XlfAmc1tXJlytoI3GYLl6fztwDGZFH8WnSPFsP6GYkxDvQGOQI07LMkYV0iaqkAx
U1JS43t4B7hIFw+nw139bBuDWTgVbUa50f1WZAbozyS80okB1m/ClDoOVKGERkjt
mN3dZFlULaexACcp+QcaTzOtfBdknDqbODK5uZFgDeHb8swohROXODqONbeuiPg9
zb6u/lyZJK9e8Po0RGQTPEnqoNfEL3wOzTy+3j/6wRECp/s9Nx2oH/i4xdZATKkK
PoQAqkrRtfLV/KMw/wSZa0qb9VelXvFJ/s7NdA==
=2UOI
-----END PGP MESSAGE-----


The crypthandler decrypts the message (of course, it should be addressed to the virtualhost's pgp key!). The message, when decrypted, is an encapsulated HTTP request, all with method, path, headers, cookies and body [if POST]. The handler does a sub-request, and sends back the response obtained (probably in encrypted form, too, if requested).

I also believe the handler could connect to a different host, virtual creating private sites that could only be accesed through an openpgp encrypted request, or encrypted proxies, etc, etc, etc.

Sounds approximately good?

[buanzo]

OK, I started implementing the decryption handler. If you have anything to say, say it now!

[buanzo]

It's almost finished. I had to learn how to write a connection-level apache input filter, but...

It's taking long because I'm about to re-implement the code using my 3rd approach. The first two were useful to learn input filter programming, but the 3rd generation/implementation will be quite solid, I guess.

The problem is that, browser-side, an input/output filtering mechanism should exist, and Mozilla does not provide that. I'm about to open an issue at mozilla's bugzilla about this. I have support from a couple of mozdev.org guys, we'll see what happens.