Encrypting Google Calendar With Firefox Extensions

mrcgran writes "IBM's Nathan Harrington has an interesting essay on using open-source tools to ensure privacy on Google Calendar: 'Today's Web applications provide many benefits for online storage, access, and collaboration. Although some applications offer encryption of user data, most do not. This article provides tools and code needed to add basic encryption support for user data in one of the most popular online calendar applications. Building on the incredible flexibility of Firefox extensions and the Gnu Privacy Guard, this article shows you how to store only encrypted event descriptions in Google's Calendar application, while displaying a plain text version to anyone with the appropriate decryption keys.'"

And the ads?

[McGiraf]

I wonder what weird context ads will show up on a gmail page full of encrypted stuff.

Re:

[saibot834]

None, if you not only use this story's extension, but also Adblock Plus [mozilla.org].

Re:

[aetherworld]

So your point is that you would NOT use this extension - which enhances your security - because THEN you would see ads for stuff you don't want? Uh-hu...

Re:

[McGiraf]

no i would not use gmail anyway. I'm just wondering what the parser to get the ads would come up with.

Re:

[Anonymous Coward]

Are any of these extensions (CalendarEncrypt, Adblock Plus) against the TOS? As much as I believe that you should be allowed to do whatever you want on your computer, when your data is in the cloud the provider can always pull the plug so you better not ignore the TOS.

Re:

[vain gloria]

Are any of these extensions (CalendarEncrypt, Adblock Plus) against the TOS? As much as I believe that you should be allowed to do whatever you want on your computer, when your data is in the cloud the provider can always pull the plug so you better not ignore the TOS.

The cloud is a lie. One we're better off not perpetuating at that. Our data is on Google's servers, under their control and used for their benefit. I realise you're referring unambiguously to this yourself when you talk about breaching their T

Re:

[omnipresentbob]

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

And then the MPAA is going to go after Google.

Re:

[MagdJTK]

eqdauyebguuheqaswgddqjxktrfevamsdessypwnwsngqoxuaqeanwhhjcxeaodnlyhw

Re:

[General Wesc]

Looking for dmgs wcbetc xgamgamqr p?
Find exactly what you want today!
www.eBay.com

afafasdf

[Heem]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

Re:afafasdf

[thrillseeker]

Yes, I'll pay you Tuesday for the hamburger today, as scheduled.

Re:

[Anonymous Coward]

Your confidence in that encryption method is intriguing, Mr. Urrz.

Re:afafasdf

[hostyle]

No I'm afraid the turtle escapade did not go quite as planned. Requesting a vet and some extraction tools. I submit that next time we grease the turtle and not the tubes. TTYL

Re:

[strelitsa]

The chair is against the wall.

But ...

BUT ...

John has a SHORT moustache.

Re:afafasdf

[mrcgran]

The chair is against the wall.

But ...

BUT ...

John has a SHORT moustache.

thanks for presenting me to this wikipedia's article on number stations: http://en.wikipedia.org/wiki/Numbers_station [wikipedia.org]

... "In the 1984 film Red Dawn, a band of high school guerrilla fighters hears two code phrases (each repeated twice) broadcast over the radio as they hide out in the wilderness. The phrases are: The chair is against the wall and John has a long mustache (the latter of which was actually used as a code-signal by the French Resistance during World War II)."

Re:

[slimjim8094]

Quite. I'd propose to meet you in a fortnight for some crumpets, if you would have it be.

Naturally, we'll need the olive oil as usual.

Re:

[Joebert]

42

Re:

[speedtux]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

aka

who needs all that crap? Just use this kick-ass encryption method that nobody could ever figure out!

You should patent that encryption method! It's so convenient! I didn't even need a key!

Re:

[skeeto]

I didn't even need a key!

His algorithm uses a 5-bit key, but the key space only has 25 valid keys. Therefore, searching this key space is trivial, even for a paper-and-pencil method. In this case he chose the most commonly used key for this algorithm (ROTn), which you happened to also try first: 13 (or in base-2: 01101).

Long live Caesar!

[mrmeval]

W twuifsr wh cih obr fch 14'r awbs pippo

Actual ads from Google

[Xtifr]

jub arrqf nyy gung penc? Whfg hfr guvf xvpx-nff rapelcgvba zrgubq gung abobql pbhyq rire svther bhg!

Just out of curiousity, I posted that into a new email with gmail, saved it to my drafts folder, then went to look, and the "context" ads that appeared are:

Secrets of the Shaolin
Rare Chinese Scriptures Translated Released for 1st Time Ever

Try Tai Chi QiGong
Live A More Active & Fuller Life, DVD/Videos, Free & Fast Shipping!

Coconut Soup (Tom Kha)
Made with Fresh Coconut Milk Loaded with Lemongrass and Galangal

Chi Kung Resources
See How Chi Kung Can Empower You. Learn How Today!

BE a Yoga Teacher
Teacher T

Re:

[ftobin]

Well, it makes sense that if you are swapping for letters on the other side of the alphabet, you might end up with a language for the other side of the world.

IBM pays people for this stuff...?

[HappyUserPerson]

I get why this article is on Slashdot (it's kind of cool), but why would IBM pay employees to work on this type of thing? It's impractical for several reasons...

Security & practicality:

1. You must install an add-in to use it. You want to your encrypted calendar with some friends. You tell them "uhh, just install this arbitrary XPI." No thanks.
2. No mention on how to securely transfer the private key to your friends. Email?
3. From your browser, the add-in spawns a shell to run a Perl script which passes arbitrary content to gpg. Security much?

Google:

1. This component is dependent on Google not changing their page. How would you and your friends like to recompile each time Google changes their page?
2. Who are you trying to protect your data from anyway? Google? They could change their page to by-pass your encryption and intercept new events as you post them. If you trust Google not to do that, what's the point? Just mark the entry as private and share it as appropriate...
3. It goes against Google's business. Okay if just a handful of users encrypt their events, no problem. However, displaying a bunch of base64 encoded garbage messes up Google's ads. Which, you know, is virtually their entire source of revenue. In the unlikely event that this technique became popular, Google would be forced to shut it down.
4. Google might shut it down anyway. It's a calendar. It's not for posting arbitrary base64 encoded data. If many users use Google calender for posting arbitrary binary data, calendar would quickly become a lawless file trading platform (think usenet) and create a performance, storage, and/or legal mess.

Re:

[smallfries]

Under Security & Practicality you missed a few points:

4. It leaks information. The encrypted version shows when you are busy and free
5. There's no point using a 4096-bit key. Most calendar entries are 60 characters so the key size is overkill given there is probably less than 360 bits of entropy
6. Calendar entries are highly regular, a dictionary attack would be tractable regardless of the key-size because of the limited input space

Isn't obfuscation enough for most people?

[Mathinker]

Frankly, I think most people don't need military grade encryption for their calendar, they just need to be able to obfuscate some of the entries in a repeatable fashion (so you can search for obfuscated events) which is not trivially unobfuscated by Google (or any others, e.g., governments, who would like to search everyone's calendar for particular keywords).

For most people, even the "Leet Key" extension is overkill.

I've been thinking about this, have even worked up a Javascript-based very weak, keyed, rep

Re:

[smallfries]

Errr, what keywords do you think governments would like to scan calendars for? I don't think there is much of a market for online calendar services for drug dealers or terrorists:

11pm Pick up 2kg of uncut cocaine
Weds [all-day] Cut the coke

or

Fri 9am Blow myself the fuck up outside the library

??? I mean, I can see your point that this overkill. I'm just suprised that you offhandly show such paranoia :)

Re:

[Mathinker]

> what keywords do you think governments would like to scan calendars for?

Donno, say, the local DA has just managed to convict P. Ed Erast for child porn, and he says to himself, 'Hmm, maybe I should run a scan on everyone's online calendars for the phrase "P. Ed Erast"?' He can't do that legally in the US, but that doesn't mean he might not want to do it.

> I don't think there is much of a market for online calendar services for
> drug dealers or terrorists...

That's a funny strawman, thanks for the

Been There, Done That

[Anonymous Coward]

It's been done before. See a college project of mine called the Web Application Privacy Protector [jhu.edu] (WAPP) or here [jhu.edu].

A major drawback is that it's usually very implementation-specific. The plugin has to be updated whenever the web application is significantly updated, and can usually be circumvented by the application provider if they really want. Additionally, encryption eliminates searchability, though there are some mediocre mitigations such as searchable encryption, tags, or searching for hashes of words. Note: WAPP hasn't been maintained since ~5/07, so it likely won't work with current applications without some tweaks.

If you have any questions, my email address is (my first name) DOT (my last name) at gmail.com.

- Gabriel Landau

Re:

[Anonymous Coward]

> my email address is (my first name) DOT (my last name) at gmail.com.

Hey, I just tried "anonymous.coward@gmail.com" and it bounced.

It's good to see PGP in use.

[SignOfZeta]

I've been using GPG for years, and it's very rare that I run into someone else who uses it. It's refreshing to see it making a comeback! I don't use Google Calendar (nothing against it, but I prefer iCal), but this is quite a novel approach to encryption.

Re:

[muckracer]

1.
> it's very rare that I run into someone else who uses [GPG]
2.
> It's refreshing to see it making a comeback!

1. Why do you think it is that way?
2. What IYHO has changed compared to 1 and what still needs to happen?

Re:

[SignOfZeta]

1. I think the proliferation of webmail and AOLers has put the proverbial fork into anything that can't be simplified in its entirety to a toolbar button. You can click a button to sign and encrypt messages, sure, but you can't quite click a button to generate a key, sign someone else's key, send and receive from keyservers, etc.

   Oh yeah, and no one seems to care, despite companies trying to think of new ways to verify that they are the sender of an email. AOL has their "Official AOL Mail", and everyone els

Known plain-text attacks?

[spankymm]

Monday 9am - doing nothing
Monday 10am - doing nothing
Monday 11am - doing nothing
Monday 12pm - lunch
Monday 1pm - doing nothing
Monday 2pm - doing nothing ...

Re:

[iminplaya]

Well, lucky you, that you only have to work five hours.

SIMPLER: Why Not use httpS

[Mana Mana]

https://www.google.com/calendar/render?pli=1 [google.com]

Apropos

[Mana Mana]

Why does Google NOT allow you to use all their services securely, i.e., TLS/encrypted???

Last I looked only Gmail and Gcal are able to be encrypted: httpS.

Why, with their ginourmous resources cpu power should be trivial. WTF?

And at least in most Europe and the USA legal issues, snooping should be moot.

Re:

[friedmud]

Agreed... I use https for all of my Google stuff. I can't believe people do it any other way. The 3 main apps I use with it are:

GMail
Calendar
Google Docs

I can't believe that people actually use GMail and Google Docs _without_ using https! That is a lot of personal junk flowing over unencrypted pipes.

I have to agree with my sibling poster... why doesn't Google encrypt all services that can carry sensitive information by default? Just doesn't make sense.

BTW: Even Google Gears (used for offline google docs