The Server in the middle problem and solution

At the beginning of 2009 I posted a story in this very same blog where I proposed the creation of a web encryption framework to add support for end to end encryption in the web browser.

As it turns out, in 2010 I did my Computer Science final project about this subject, successfully implementing an HTML extension in KHTML that fixed what during one talk I was giving on the subject I coined to be the Server in the middle problem (project memory in spanish, code in github).

The solution I developed is just a proof of concept and not a final proposition. It basically extends the div element and input type=text element by adding two attributes, encryption=”gpg” and encryption-key=”<keyid>”, so that a div containing a gpg ascii encoded encrypted text is automatically decrypted shown the plaintext, and when a form with an encrypted input type=”text” element is sent, the data is automatically encrypted.

The key point about this proposition is twofold:

  1. The security it provides is website-independent, you only need to trust the web browser.. It’s not possible using javascript, the DOM, CSS or any other tactics to access to the contents of the plaintext.
  2. It’s easy to implement as an HTML extension that  could be standardized.

This is what makes the proposal differ from other approaches like the deceased FirePGP Mozilla Firefox extension, the javascript API that some web browsers like Mozilla Firefox provide for cryptographic primitives, or javascript libraries like Slow AES that currently provide cryptographic support for some websites that uses them.

I have spent this weekend updating the code to work in recent KDE versions and creating an ready-to-go usb live opensuse-based [1] appliance called “Server in the middle” that shows Sweeetter, a microblogging application that allows users to exchange messages using the aforementioned HTML extension. Check it out! it’s for you to test it =)

SSL was the first step for securing the web. End to end encryption is the next, and it will allow cloud applications like web chats, web mails, and even office apps in the cloud with privacy being orthogonal to the servers used. When you chat using gmail with your peers using HTTPS, there’s someone else listening: it’s Google. It’s the server that is in the middle by design. When a Los Angeles employee sends an email to another peer using Gmail, it ain’t Google’s business.  Perhaps if an end-to-end encryption scheme as proposed was available as a standard, Google would offer it in Gmail for businesses and for geeks like us ;-), and certainly other service providers would.

I will say it again: what I proposed is just a proof of concept. We could perhaps encrypt whole forms in a similar manner, or  use a secure sandbox inside which plaintext data can be freely manipulated, but whose details are well known to the browser, are being recorded and the user can see in a details dialog, similar to the details of HTTPS connections in current web browsers, and the data going out from the sandbox is encrypted in a controlled and secure way.

The issue of privacy in the web will arise sooner or later. All the applications are jumping to the web wagon and some applications just need to be secure. It’s not only cryptonerds that need to take this seriously. Big companies that need their data to be secure will either continue using old-fashioned software, or request something better than we have now. This has already happened sooner than you might think (1999). Thus, we need to take this seriously, and begin standardizing and developing similar solutions to the one proposed for the shiny future that is about to come.

[1] BTW, SUSE Studio rocks!

About these ads

11 Responses to “The Server in the middle problem and solution”


  1. 1 damian enero 8, 2012 en 10:48 pm

    Well said. This kind of technologies should be implemented before it’s too late, but there are a few problems to solve.

    Firstly, Google or any other web service provider won’t agree with this, as it takes control off them. Secondly, in it’s current state it will make their services worse as you can’t search in the content of mails easily, neither you can index for “useful” data , and you might get worse performance.

    Once these problems are solved, they should be forced by law on any web service provider, that doesn’t claim “We can see all your data, and can use it however we want” on their license.

    The problem of searching in mails for example is a difficult one, how can it be done if the server can’t read it’s content and the client doesn’t have them at all?
    Unless there is a copy process (installing web apps?) which might take long and would remove the “grab and computer input password and done” advantage, I can’t see other way, but I’m sure someone will come with a good solution for these problems, if they are given enough importance.

  2. 2 ben enero 10, 2012 en 2:57 am

    I don’t believe that it should be forced by law. I think the market should weed out the stragglers naturally; If there are big companies who need end-to-end encryption, there will be businesses who provide end-to-end encryption. If that business is not Google (or whoever), then they will lose customers…incentive should naturally increase.

  3. 3 www.seoorganics.net/ mayo 7, 2013 en 4:24 am

    Hello just wanted to give you a quick heads up.
    The text in your content seem to be running off the screen in
    Firefox. I’m not sure if this is a format issue or something to do with internet browser compatibility but I figured I’d post to
    let you know. The style and design look great though!
    Hope you get the issue resolved soon. Kudos

  4. 4 anatomy and physiology help mayo 24, 2013 en 7:39 pm

    When I initially left a comment I appear to have
    clicked the -Notify me when new comments are added- checkbox and from now
    on each time a comment is added I get four emails with the exact same
    comment. Perhaps there is a way you can remove me from that service?
    Appreciate it!

  5. 5 Sidney junio 16, 2013 en 5:15 pm

    Just want to say your article is as astounding. The clarity in your post is simply excellent and
    i could assume you are an expert on this subject. Fine with your permission allow me to grab your feed
    to keep updated with forthcoming post. Thanks a million and
    please continue the rewarding work.

  6. 6 raspberry ketones junio 18, 2013 en 5:51 pm

    Very nice write-up. I absolutely love this website. Stick with it!

  7. 7 green coffee bean junio 19, 2013 en 3:10 am

    Hey! Do you use Twitter? I’d like to follow you if that would be ok. I’m definitely
    enjoying your blog and look forward to new updates.

  8. 8 best binary options trading site junio 20, 2013 en 6:04 am

    I don’t know whether it’s just me or if everyone else encountering issues with your website.
    It appears like some of the text within your posts are running off the
    screen. Can someone else please comment and let me know if
    this is happening to them too? This may be a issue with my internet
    browser because I’ve had this happen previously. Thank you

  9. 9 www.puppiesandflowers.com junio 25, 2013 en 2:56 am

    This is the perfect webpage for anyone who really wants to understand this topic.
    You understand a whole lot its almost hard to argue with you (not that
    I really would want to…HaHa). You certainly put a brand new spin on a subject that has been written about for ages.
    Excellent stuff, just wonderful!

  10. 10 Adriene junio 25, 2013 en 4:16 am

    This post is genuinely a nice one it assists new internet
    viewers, who are wishing in favor of blogging.


  1. 1 CSL: Cheli Software Libre » Blog Archive » Servidor en medio Trackback en enero 10, 2012 en 4:37 am

Deja un comentario

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s





Seguir

Recibe cada nueva publicación en tu buzón de correo electrónico.

%d personas les gusta esto: