How to Exchange Encrypted Messages on Any Website
After last year’s revelations about U.S. Internet surveillance raised interest in privacy tools, Google and Yahoo both announced they were working on software to let people who use their e-mail services easily exchange encrypted messages.
Now a prototype browser extension called ShadowCrypt, made by researchers at the University of California, Berkeley, and the University of Maryland, goes even further. It makes it easy to send and receive encrypted text on Twitter, Facebook, or any other website.
Using ShadowCrypt, a person who writes or is authorized to read a tweet or e-mail sees normal text. The site operator or anyone else looking at or intercepting the posting would see a garbled string of letters and numbers.
ShadowCrypt was created to show that strong encryption could be made both simple to use and compatible with popular services such as Twitter, says Devdatta Akhawe, a security engineer at Dropbox who helped develop ShadowCrypt as a grad student at Berkeley. “We wanted to show how you could make a practical, fast mechanism that is easy to use,” he says. Akhawe and colleagues tested ShadowCrypt on 17 different major Web services; it worked more or less flawlessly on 14, including Facebook, Twitter, and Gmail.
PGP, software first released in 1991, is probably the best-known software for encrypted messaging, but it is notoriously difficult to master. In general, existing tools for encrypted messaging tend to either require switching to a new service, such as Silent Circle (see “An App Keeps Spies Away from Your Phone”), or are very clunky.
To use ShadowCrypt you install the extension and then create encryption keys for each website you wish to use it with. A small padlock icon at the corner of every text box is the only indication that ShadowCrypt is hiding the garbled encrypted version that will be submitted when you hit the “send” or “post” button.
Other people can read that text if you provide them with the encryption key used to create it to add to their own ShadowCrypt settings. After they have done that, any text they view that has been encrypted with that key appears normal to them.
For example, the tweet below is perfectly readable to anyone that has installed ShadowCrypt, because it was encrypted using the extension’s default key for Twitter.com. Multiple keys can be made for any one site and it is easy to choose from them. You might use a different one for each person you wish to e-mail securely, for example.
=?shadowcrypt-4ff95cef5a76149b687f7b54908cd2fa168794e214cedf9ee1a5df1dfec13057?fYtRaaL8maPP6ud0RldZhAEhO1KGy8pCqOMeSuVzldAwNpkB??=— Tom Simonite (@tsimonite) November 4, 2014
ShadowCrypt is still a research project, but independent cryptography researcher Justin Troutman says its design demonstrates a useful new approach to online security.
That’s because it offers a way for people to take control of the security of the data they put into a Web service, he says. More often, most attention is paid to protecting data only as it travels to and from service providers’ servers. “It’s a step toward building a more benign surface for interacting with Web apps,” says Troutman.
A paper on ShadowCrypt, the code for which is open-source, will be presented at the ACM Conference on Computer and Communications Security this week.
The inside story of how ChatGPT was built from the people who made it
Exclusive conversations that take us behind the scenes of a cultural phenomenon.
How Rust went from a side project to the world’s most-loved programming language
For decades, coders wrote critical systems in C and C++. Now they turn to Rust.
Design thinking was supposed to fix the world. Where did it go wrong?
An approach that promised to democratize design may have done the opposite.
Sam Altman invested $180 million into a company trying to delay death
Can anti-aging breakthroughs add 10 healthy years to the human life span? The CEO of OpenAI is paying to find out.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.