Nofuture Age Web Interface by Victor HCC

Discussion:

(too old to reply)

SEC3

2025-01-16 19:50:55 UTC

On 1/16/25 13:13, Gabx wrote:
> This time it’s for real.
>
> I have also published on github the source of Nofuture-Age Web Interface, https://github.com/gabrix73/Nofuture-Age.
>
> You can test it out at https://safecomms.virebent.art.
>
> This is a web interface for Age.
>
> Age has been written by FiloSottile https://github.com/FiloSottile/age.
>
> My idea is to use it alongside mainstream messaging applications for encrypting/decrypting of text messages.
>
> As long as the session is active you will be able to encrypt text for your interlocutor and decrypt it.
>
> Once the session is ended, the keys used in the previous session are lost making it impossible to retrieve the plaintexts.
>
> The purpose of this approach is not to leave any data after a conversation.
>
> Age itself it's designed to be simple and secure, using modern cryptographic primitives.

Thank you for creating and hosting this service. I have used age in the
past and I like it. It's lightweight and simple. I have a public key:

# age public key:
age1hvlgyfruxl5ejm6ym72utx34y2mngwl9gck8tg5jucrwhwshvdjqd0h05f

--
SEC3

YAMN Help Tutorial - https://www.sec3.net/yamnhelp/

kosmikdog

2025-01-16 20:04:39 UTC

Permalink

SEC3 wrote:

> # age public key:
> age1hvlgyfruxl5ejm6ym72utx34y2mngwl9gck8tg5jucrwhwshvdjqd0h05f
>

This is mine:
age144fwj29ad33n5u7uvqrgjtmlr0dmz5gmgpameplvlrwmujl7kfsqxwt8tp

YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrc3dWNXBHK0xIQUVERGo3dmh5TkxlVWh3aFA5S1M5QnY4VlI1R1A0ZldBCjF2QlFlbkJmQUE1MG5tb3hBUWRXUU1xNEVWT2k1dG5NMTBmUjVlZmI1YWsKLS0tICtPVlBKNzcyanRRbU9IU2RjbXlDdXp5TldSd3FJV1Ntc0FKM085Z2ZrYUEKijYs3ZnyH9Pkyg/hwGy6+D25Lqz7fttenxEHATTTLDhHhNiWxSR4SKtOLrKfRH2GPCcpvxZMB+dvRxNvxD9mCDOODQqqTB9vU3ypZ+tCmVmKxi/azv7xRXDWX5fBhmuomLXDkKIUGswHGfOY6zgjFsAfG/d+hlJWmtUTusjboYCCkXu6OVyWtPwJgcinoJmsS9LxuGtzT1taLvw16frtUtzGbh4X7w/2q9Kw7HYN/gq75YPKVHq0qr7BHrYQ65Gvilyi7dHoml2iPsExfFz6SRLRYaWx45crQIE8pjvBdoDxc+3mQDNCwcCsByCwk0CUT22En2mnvyI9EeaoAn0qNNvo0Ex7pGoaydbkHs1W9NJgS/eti8VWIHgaL3iQJlExoSUFMZsF+FKL8N+PRGXdGSK1Z1ImywaCUAAMSXn3obqFezSF4VoO3dcclXKUp2WrZwmEs/VzZn3nuSXtxXkTg+vZZIlTQH6Qm158CU22soycKv4jY2EfZicRR5w3JOTDr7NBT2HRG9IJPw==

Stefan Claas

2025-01-16 21:15:14 UTC

Permalink

kosmikdog wrote:
> SEC3 wrote:
>
> > # age public key:
> > age1hvlgyfruxl5ejm6ym72utx34y2mngwl9gck8tg5jucrwhwshvdjqd0h05f
> >
>
> This is mine:
> age144fwj29ad33n5u7uvqrgjtmlr0dmz5gmgpameplvlrwmujl7kfsqxwt8tp

If your Computer has a TPM 2.0 Chip (which is pretty cool, becaue
you get a TRNG with it) you can use:

https://github.com/Foxboron/age-plugin-tpm

And if you have a Yubikey (which is also pretty cool) you can
use:

https://github.com/str4d/age-plugin-yubikey

--
Regards
Stefan

Gabx

2025-01-18 17:37:23 UTC

Permalink

Stefan Claas wrote:> If your Computer has a TPM 2.0 Chip (which is pretty cool, becaue
> you get a TRNG with it) you can use:
>
> https://github.com/Foxboron/age-plugin-tpm
>
> And if you have a Yubikey (which is also pretty cool) you can
> use:
>
> https://github.com/str4d/age-plugin-yubikey

Rather I was thinking of an online way to exchange public keys without involving a central server and in a p2p way.
A way to connect two remote session-ids.
Alice and Bob.

Stefan Claas

2025-01-18 18:19:07 UTC

Permalink

Gabx wrote:
> Stefan Claas wrote:> If your Computer has a TPM 2.0 Chip (which is pretty cool, becaue
> > you get a TRNG with it) you can use:
> >
> > https://github.com/Foxboron/age-plugin-tpm
> >
> > And if you have a Yubikey (which is also pretty cool) you can
> > use:
> >
> > https://github.com/str4d/age-plugin-yubikey
>
> Rather I was thinking of an online way to exchange public keys without involving a central server and in a p2p way.
> A way to connect two remote session-ids.
> Alice and Bob.

Well, I wonder anyway why people should use online encryption with a browser
for age, or other encryption programs, and as it seems need to stay on your
site, for the whole encryption/decryption procedure? I ask, becaue when I do
that I use my offline computer for communications and then transfer the encrypted
payload to my online computer, in case I have Government Trojans, like FinSpy
from Germany or Pegasus from Israel, which can't be detected by AV Software for
Windows/Linux/Mac.

That is also the reason why I do not use Omnimix or OnionShare and instead use
Onion Courier/minicrypt, or YAMN outfiles with Onion Courier and minicrypt.

--
Regards
Stefan

U***@[127.1]

2025-01-19 00:39:32 UTC

Permalink

Stefan Claas wrote:> Gabx wrote:
>> Stefan Claas wrote:> If your Computer has a TPM 2.0 Chip (which is pretty cool, becaue
>>> you get a TRNG with it) you can use:
>>>
>>> https://github.com/Foxboron/age-plugin-tpm
>>>
>>> And if you have a Yubikey (which is also pretty cool) you can
>>> use:
>>>
>>> https://github.com/str4d/age-plugin-yubikey
>>
>> Rather I was thinking of an online way to exchange public keys without involving a central server and in a p2p way.
>> A way to connect two remote session-ids.
>> Alice and Bob.
>
> Well, I wonder anyway why people should use online encryption with a browser
> for age, or other encryption programs, and as it seems need to stay on your
> site, for the whole encryption/decryption procedure? I ask, becaue when I do
> that I use my offline computer for communications and then transfer the encrypted
> payload to my online computer, in case I have Government Trojans, like FinSpy
> from Germany or Pegasus from Israel, which can't be detected by AV Software for
> Windows/Linux/Mac.
>
> That is also the reason why I do not use Omnimix or OnionShare and instead use
> Onion Courier/minicrypt, or YAMN outfiles with Onion Courier and minicrypt.
>

I crypt/decrypt text in a browser tab and in another i make pastes of encrypted texts and copies of texts to decrypt.
No matter what mainstream channel of communication.
No matter what protocol of security is on, if there is, i can make my age copy/paste .

Once i closed the browser tab, once "end session", there are no more keys to worry about.

Nothing is saved on server hard disk,
key and data input rest in RAM and they disappear at "end session".

The browser is the most available and widely used tool that exists.

It is not a tool like a hardware key or special functions present only in some processors.

Nofuture/Age *wish* to be easy and of wide consumption.

For rapid encrypted communications on no matter
what device or channel.

Intuitive interface.
Responsive for mobile devices.
No matter your operating system.

Best Regards

Gabx

*VHCC*

Stefan Claas

2025-01-19 00:58:57 UTC

Permalink

Use-Author-Supplied-Address-Header@[127.1] wrote:
> Stefan Claas wrote:> Gabx wrote:
> > > Stefan Claas wrote:> If your Computer has a TPM 2.0 Chip (which is pretty cool, becaue
> > > > you get a TRNG with it) you can use:
> > > >
> > > > https://github.com/Foxboron/age-plugin-tpm
> > > >
> > > > And if you have a Yubikey (which is also pretty cool) you can
> > > > use:
> > > >
> > > > https://github.com/str4d/age-plugin-yubikey
> > >
> > > Rather I was thinking of an online way to exchange public keys without involving a central server and in a p2p way.
> > > A way to connect two remote session-ids.
> > > Alice and Bob.
> >
> > Well, I wonder anyway why people should use online encryption with a browser
> > for age, or other encryption programs, and as it seems need to stay on your
> > site, for the whole encryption/decryption procedure? I ask, becaue when I do
> > that I use my offline computer for communications and then transfer the encrypted
> > payload to my online computer, in case I have Government Trojans, like FinSpy
> > from Germany or Pegasus from Israel, which can't be detected by AV Software for
> > Windows/Linux/Mac.
> >
> > That is also the reason why I do not use Omnimix or OnionShare and instead use
> > Onion Courier/minicrypt, or YAMN outfiles with Onion Courier and minicrypt.
> >
>
> I crypt/decrypt text in a browser tab and in another i make pastes of encrypted texts and copies of texts to decrypt.
> No matter what mainstream channel of communication.
> No matter what protocol of security is on, if there is, i can make my age copy/paste .
>
> Once i closed the browser tab, once "end session", there are no more keys to worry about.
>
> Nothing is saved on server hard disk,
> key and data input rest in RAM and they disappear at "end session".
>
> The browser is the most available and widely used tool that exists.
>
> It is not a tool like a hardware key or special functions present only in some processors.
>
> Nofuture/Age *wish* to be easy and of wide consumption.
>
> For rapid encrypted communications on no matter
> what device or channel.
>
> Intuitive interface.
> Responsive for mobile devices.
> No matter your operating system.
>
> Best Regards
>
> Gabx
>
> *VHCC*
>

I think you do not really understand the threat model. If your online
device is compromised by a Government Trojan, which you can't detect,
your encryption process is pretty useless, because the spyware has your
plaintext already, prior encryption.

Well, just saying...

--
Regards
Stefan

kosmikdog

2025-01-19 01:33:15 UTC

Permalink

Stefan Claas wrote:
>
> I think you do not really understand the threat model. If your online > device is compromised by a Government Trojan, which you can't detect,

A quantic trojan!

> your encryption process is pretty useless, because the spyware has your
> plaintext already, prior encryption.
>
> Well, just saying...
>

Thanks Chef
I will treasure this observation.

Gabx

Stefan Claas

2025-01-19 09:11:20 UTC

Permalink

kosmikdog wrote:
> Stefan Claas wrote:
> >
> > I think you do not really understand the threat model. If your online > device is compromised by a Government Trojan, which you can't detect,
>
> A quantic trojan!

With zero-click attack capabilities. Works also with iOS and Android.

> > your encryption process is pretty useless, because the spyware has your
> > plaintext already, prior encryption.
> >
> > Well, just saying...
> >
>
> Thanks Chef
> I will treasure this observation.

You're welcome.

--
Regards
Stefan

Gabx

2025-01-17 19:56:16 UTC

Permalink

>From now on, the Nofuture-Age interface will not be active as new features are added.

* Fix <End Session> button, currently it deletes input data and keys, but does not delete the session-id, not exactly what I want.

* Adding a qrcode to facilitate public key sharing.

* Possible use of yubikey.

P.S.

As soon as I realize the benefits especially in terms of security compared to a normal session-id, I have never seen yiubikey in practice, never used.

[Ping Stefan Class]

Gabx

Stefan Claas

2025-01-17 20:21:40 UTC

Permalink

Gabx wrote:

> As soon as I realize the benefits especially in terms of security compared to a normal session-id, I have never seen yiubikey in practice, never used.
>
> [Ping Stefan Class]

Yubikeys are used mostly nowadays for Online-Logins in all major platforms,
for 2FA, or with GnuPG, SSH etc. In Slot 2 (or 1) you can store also long
random passwords, in case you would use symmetric encryption with friends,
so that you only need to push the button on a Yubikey, which is pretty cool,
because one could use a password generated with my TPM 2.0 pwgen Go program.

--
Regards
Stefan

Gabx

2025-01-18 17:52:23 UTC

Permalink

Hi,
* Button "End Session" have been fixed, it deletes the session-id, too.
* Public Key is visible for the entire duration of the session on the top of the page.
* qrcode for key sharing [abbandoned]

TODO

* memguard

> Best regards

Gabx

Nomen Nescio

2025-01-18 18:08:43 UTC

Permalink

>
> Thank you for creating and hosting this service. I have used age in the past
> and I like it. It's lightweight and simple.
>
Why not to use GPG?

Onion Courier

2025-01-18 19:02:13 UTC

Permalink

Nomen Nescio wrote:
> >
> > Thank you for creating and hosting this service. I have used age in the
> > past and I like it. It's lightweight and simple.
> Why not to use GPG?

Because it's not lightweight and simple... :)