[Greasemonkey] greasemonkey for secure data over insecure networks
lists at atrus.org
Mon Jul 18 15:37:29 EDT 2005
Aaron Boodman wrote:
>On 7/18/05, Jeremy Dunck <jdunck at gmail.com> wrote:
>>On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
>>>This points to the
>>>concept of a partially-encrypted web, ordinarily invisible, and a
>>>generic GM script that decrypts and displays it. That gives me the
>>>kind of woody I haven't had since I first learned about GM in the
>>So, uh, the script leaking investigation isn't entirely for the glory
>>of knowing. It also sucks to leak private keys.
>Jeez, yeah. Great point.
>I sorta feel like Greasemonkey has grown out of this uncomfortable
>adolescent adding <script> elements to the DOM phase. These are the
>next most important tasks, as I see them:
>* Find a way to run user scripts in isolation, with the contentWindow
>as their global object, in the correct security context.
>* Do a full XPCNativeWrapperfication of the entire code base.
>Mark, can you send your friend a note telling him not to put private
>keys in user scripts for now? His script can just prompt for the
>password for now.
I've been fiddling with storing private keys in bookmarklets (a JS
version of PGP). My general approach is to use a password to encrypt the
key for storage and decrypt it for use. It falls back to passwords, but
doesn't require sending it to the server (most of which lack TLS/SSL)
More information about the Greasemonkey