ShadowCrypt: post encrypted messages on any site in Chrome
ShadowCrypt is a Chrome extension that brings encrypted messaging to Internet sites such as Reddit, Facebook or Twitter. The core idea behind ShadowCrypt is to provide Internet users with the means to post encrypted messages on the Internet so that only select recipients can read it.
ShadowCrypt runs as a browser extension in Chrome that replaces page input elements with secure inputs and encrypted text.
Basically, it gives you options to post encrypted text on websites that only users can read who have access to the same encryption key as the user who published the message.
Probably the best way of understanding how this works is to visit the ShadowCrypt Playground on Reddit, a group on the popular site that users of the extension use to test the extension's functionality.
If you visit the group without ShadowCrypt installed, you won't see lots of clear text on it. With ShadowCrypt installed, many of the messages become readable.
ShadowCrypt ships with several pre-installed keys which means that users of the extension share those keys with each other. This is the reason why you can read messages published by other users in the group.
Since every text field is handled separately, it is up to you to encrypt all or only select one. That's why you can read some titles in the first screenshot even though the message itself is encrypted (which you see when you click through).
If you use one of the default sites, you may want to change the passphrase of it in the options to block other ShadowCrypt users from reading your messages on those sites.
This means however that you need to share that passphrase with users that you want to grant access to your messages.
Since there is no built-in way of doing so, you need to find external ways to share keys. You get an export string however that you can copy for each site you have configured in the options which other users can import on their system to add that key to their system.
Encryption keys are stored on the user's computer and not in the cloud, and multiple keys per service are supported.
ShadowCrypt works on most sites that you come across. You do need to remember though that you need to create a key for new sites in the options before the extension's functionality becomes available.
The extension worked fine on Facebook, Yahoo Mail, Gmail, Reddit and Twitter, and should work on the majority of sites on the Internet. Tests on a couple of chat sites however were not successful.
The UC Berkeley term that created the extension published a research paper with in-depth security and implementation information. A link to the paper and the source code of the extension is available on Weebly.
Verdict
ShadowCrypt is an easy to use extension to encrypt and decrypt textual information on the web. It works on many popular site types including web mail, blogs and social networking sites.
It uses a single shared key instead of private and public keys which needs to be shared with all users you want to exchange information with in encrypted form.
While relatively easy to use, it has a few drawbacks. First, you need to find a way to exchange keys to get started. Then, you need to ensure that the service that you post encrypted messages on has no issue with that and thirdly, it is limited to text only.
This is beautiful i love it
If this was going to be used for real security (e.g. journalism in an oppressive regime), passwords would probably need to be in the 20+ characters area to avoid a “rainbow tables” style attack where you generate every possible key. That may seem a little extreme but — assuming this takes off — someone will probably start working on all the password possibilities for Reddit (for example).
Either way, I’m still glad to see people thinking along these lines. As almost nobody I’ve met use GPG, alternatives that even give partial controls are welcome.
chrome only :(
This is an interesting idea, I wonder if the NSA has already cracked it.