WebApp Sec mailing list archives
Re: Web based email signing and encryption
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 20 May 2004 15:38:00 +0200
Hi,You might want to take a look at HushMail.com for some ideas, and to see how they have implemented their system. They are using OpenPGP compatible messages, though, not S/MIME.
To do this effectively, you would need to have a client side applet that implements the S/MIME algorithms, and uploads the message in a format that the web server can relay to the recipient, without breaking the encryption and signatures.
I guess it is not really difficult to do, you just need to find implementations of the S/MIME libraries that you can use. e.e. BouncyCastle.org crypto provider.
It could be an interesting project to integrate this with something like IMP/Horde, or one of the other webmail apps. Effectively, you would have to convert plain text to an encrypted attachment prior to sending, and reverse that on receipt.
As the HushMail.com site describes, the tricky thing is managing the certificates. Hush manages them for you (but decrypts them locally), maybe an S/Mime implementation would read them from the local filesystem.
Also, be aware that Hush has (applied for) a patent in this area. Rogan sonali maniar wrote:
Most of the email signing and encryption products work on S/MIME based clients like Outlook Express, Netscape Messenger etc. My company is having a web based access of our corporate mailing system how can this be secured? Are there any products/tools/components available to enable web based e-mail signing and encryption ie a mail composed a web browser can be sent digitally signed and encrypted?Both the email contents and attachments need to be signed and encrypted. Sonali Maniar,CISA Associate Consultant SafeScrypt Ltd 3rd Floor, Enterprise Centre Off Nehru Road, Vile Parle East Mumbai 400099 Tel : +91-22-5677-2473 Mobile : +91-9820410775 Fax : +91-22-2617-7662 SafeScrypt - The Confidence To Do More!
-- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Web based email signing and encryption sonali maniar (May 20)
- Re: Web based email signing and encryption Syahrul Sazli Shaharir (May 20)
- Re: Web based email signing and encryption Rogan Dawes (May 20)