After last year’s revelations about U.S. Internet surveillance raised interest in privacy tools, Google and Yahoo both announced they were working on software to let people who use their e-mail services easily exchange encrypted messages.
Now a prototype browser extension called ShadowCrypt, made by researchers at the University of California, Berkeley, and the University of Maryland, goes even further. It makes it easy to send and receive encrypted text on Twitter, Facebook, or any other website.
Using ShadowCrypt, a person who writes or is authorized to read a tweet or e-mail sees normal text. The site operator or anyone else looking at or intercepting the posting would see a garbled string of letters and numbers.
ShadowCrypt was created to show that strong encryption could be made both simple to use and compatible with popular services such as Twitter, says Devdatta Akhawe, a security engineer at Dropbox who helped develop ShadowCrypt as a grad student at Berkeley. “We wanted to show how you could make a practical, fast mechanism that is easy to use,” he says. Akhawe and colleagues tested ShadowCrypt on 17 different major Web services; it worked more or less flawlessly on 14, including Facebook, Twitter, and Gmail.
PGP, software first released in 1991, is probably the best-known software for encrypted messaging, but it is notoriously difficult to master. In general, existing tools for encrypted messaging tend to either require switching to a new service, such as Silent Circle (see “An App Keeps Spies Away from Your Phone”), or are very clunky.
To use ShadowCrypt you install the extension and then create encryption keys for each website you wish to use it with. A small padlock icon at the corner of every text box is the only indication that ShadowCrypt is hiding the garbled encrypted version that will be submitted when you hit the “send” or “post” button.
Other people can read that text if you provide them with the encryption key used to create it to add to their own ShadowCrypt settings. After they have done that, any text they view that has been encrypted with that key appears normal to them.
For example, the tweet below is perfectly readable to anyone that has installed ShadowCrypt, because it was encrypted using the extension’s default key for Twitter.com. Multiple keys can be made for any one site and it is easy to choose from them. You might use a different one for each person you wish to e-mail securely, for example.
=?shadowcrypt-4ff95cef5a76149b687f7b54908cd2fa168794e214cedf9ee1a5df1dfec13057?fYtRaaL8maPP6ud0RldZhAEhO1KGy8pCqOMeSuVzldAwNpkB??=— Tom Simonite (@tsimonite) November 4, 2014
ShadowCrypt is still a research project, but independent cryptography researcher Justin Troutman says its design demonstrates a useful new approach to online security.
That’s because it offers a way for people to take control of the security of the data they put into a Web service, he says. More often, most attention is paid to protecting data only as it travels to and from service providers’ servers. “It’s a step toward building a more benign surface for interacting with Web apps,” says Troutman.
A paper on ShadowCrypt, the code for which is open-source, will be presented at the ACM Conference on Computer and Communications Security this week.
The gene-edited pig heart given to a dying patient was infected with a pig virus
The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.
Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging
The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.
Yann LeCun has a bold new vision for the future of AI
One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.
The dark secret behind those cute AI-generated animal images
Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.