[Greasemonkey] greasemonkey for secure data over insecure networks / sites

Nikolas Coukouma lists at atrus.org
Mon Jul 18 15:37:29 EDT 2005


Aaron Boodman wrote:

>On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
>  
>
>>On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
>>    
>>
>>>This points to the
>>>concept of a partially-encrypted web, ordinarily invisible, and a
>>>generic GM script that decrypts and displays it.  That gives me the
>>>kind of woody I haven't had since I first learned about GM in the
>>>first place.
>>>      
>>>
>>So, uh, the script leaking investigation isn't entirely for the glory
>>of knowing.  It also sucks to leak private keys.
>>    
>>
>
>Jeez, yeah. Great point.
>
>I sorta feel like Greasemonkey has grown out of this uncomfortable
>adolescent adding <script> elements to the DOM phase. These are the
>next most important tasks, as I see them:
>
>* Find a way to run user scripts in isolation, with the contentWindow
>as their global object, in the correct security context.
>
>* Do a full XPCNativeWrapperfication of the entire code base.
>
>Mark, can you send your friend a note telling him not to put private
>keys in user scripts for now? His script can just prompt for the
>password for now.
>
I've been fiddling with storing private keys in bookmarklets (a JS
version of PGP). My general approach is to use a password to encrypt the
key for storage and decrypt it for use. It falls back to passwords, but
doesn't require sending it to the server (most of which lack TLS/SSL)

-Nikolas Coukouma


More information about the Greasemonkey mailing list