Idea: secure webmail proxy

Ok, so it's well-known that travellers of the world are being keylogged and hacked big time. Additionally there are growing concerns about webmail privacy.

Solve both problems with a private secure webmail proxy that does two things: defeat key loggers with a graphical challenge response credential check, and defeat eavesdropping by making encryption easy to use with webmail.

The system consists of some host on the internet - preferably one that's stable and owned by the user. E.g. a home server. (This minimizes some risks, but maximizes others...) That system provides a web interface that can be accessed world wide (unfortunately most consumer ISPs block port 80, and some internet cafes block alternate ports...). The system contains your username password for gmail, for example, and prompts you with a fancy graphical clickable scheme to verify who you are. It then logs into your webmail, and provides you with content.

This is enough to defeat keyloggers (although there are easy tricks to do that), but since we're proxying, why not go one step further and make PKI services easy to use? The basic idea is that a small piece of software on the proxy will be looking for encrypted content and unencrypt it for you. It could be presented as text, but it would be even cooler to present it as an image, making it that much harder for someone to eavesdrop assuming they have complete control over the client machine.

This addresses one of the severe usability flaws of modern PKE software - it's too easy to mess up. It's easy to loose your private key; it's easy to forget your private key decrypt passphrase. It's hard to install the correct software and use it properly, on all the systems you might want to use it on. In this system the private key file is stored on your (presumably secure) home system, and the proxy has the ability to decrypt the private key.

Because of the nature of this sort of software, it basically must be open source. Ironically, as it becomes more popular so the countermeasures will become more popular as well. However, it's like those red bars people put in their cars - they are possible to remove, but if presented with two cars one with and one without, why bother?

A "not too shabby" variation is to use something like FireGPG, which is a Firefox plugin that at least eases the integration woes between GPG4Win and the browser. Frankly I think my idea is better. :)

No comments: