This is Not PGP
PGP
is the fine encryption program from Philip Zimmermann.
This is a demonstration of an experimental Java applet which
sends mail designed to be compatible with PGP encryption formats.
However, it has several security flaws, discussed below, and
should not be considered to be a replacement for PGP.
Directions
- Type the email address the mail should go to in the "To" box.
This will also be what is used to look up the key. Most people
include their email addresses in their key ID's so this should
work in most cases. (Only one email address can be used each
time you send a message. The applet doesn't support encrypting
to multiple addresses.)
-
Click on the "Get key" button.
The status window at the bottom of the screen will display the progress
of the efforts to get the key.
It can take a long time,
often a minute or more! The reason is that the applet can only
connect back to a key server running on my server, and that one
works by forwarding the request to another key server.
Click here to see the source to my
"proxy" key server.
-
While the key is being retrieved, fill in the "From" and "Subject"
boxes with your email address and the subject of the message.
-
Enter your message itself in the large "Message" area at the bottom.
-
Check the status window to see if the key has been retrieved
yet. If not, wait a bit more. The first user ID on the key is displayed
once the key comes in.
-
Click the "Encrypt" button to PGP encrypt the message using that key.
The text in the message window will change to show your encrypted
message.
This step is not undoable.
-
Click the "Send" button to send your PGP encrypted mail. The status window
reports when the mail has been sent.
Security issues
Using this Java applet is not as secure as using regular PGP. Several
things could go wrong to hurt its security.
-
The applet itself could have mistakes in the program. It is brand new
and experimental.
-
Some malicious person could substitute a weakened version of the
applet which makes copies of what you send, or uses weakened keys.
-
There is no convenient way to check whether the keys you are using are
valid. In the future I may add a display of a key fingerprint that
you could compare manually with a version you got through a trusted
channel.
-
The random number generation could use some improvement.
The program collects mouse movements, key strokes, and an internal
constantly-running "spinner" timer which is sampled periodically.
These are then passed through an MD5 hash. One thing missing is a
check to see whether enough randomness is available by the time the
"Encrypt" button is pressed.
Source
Source to all the applet classes is available.
I also have a
tar file with the files bundled
together.
Send PGP mail
Please let me know
of any problems.
Back to Hal Finney home page