After last year’s revelations about U.S. Internet surveillance raised interest in privacy tools, Google and Yahoo both announced they were working on software to let people who use their e-mail services easily exchange encrypted messages.
Now a prototype browser extension called ShadowCrypt, made by researchers at the University of California, Berkeley, and the University of Maryland, goes even further. It makes it easy to send and receive encrypted text on Twitter, Facebook, or any other website.
Using ShadowCrypt, a person who writes or is authorized to read a tweet or e-mail sees normal text. The site operator or anyone else looking at or intercepting the posting would see a garbled string of letters and numbers.
ShadowCrypt was created to show that strong encryption could be made both simple to use and compatible with popular services such as Twitter, says Devdatta Akhawe, a security engineer at Dropbox who helped develop ShadowCrypt as a grad student at Berkeley. “We wanted to show how you could make a practical, fast mechanism that is easy to use,” he says. Akhawe and colleagues tested ShadowCrypt on 17 different major Web services; it worked more or less flawlessly on 14, including Facebook, Twitter, and Gmail.
PGP, software first released in 1991, is probably the best-known software for encrypted messaging, but it is notoriously difficult to master. In general, existing tools for encrypted messaging tend to either require switching to a new service, such as Silent Circle (see “An App Keeps Spies Away from Your Phone”), or are very clunky.
To use ShadowCrypt you install the extension and then create encryption keys for each website you wish to use it with. A small padlock icon at the corner of every text box is the only indication that ShadowCrypt is hiding the garbled encrypted version that will be submitted when you hit the “send” or “post” button.
Other people can read that text if you provide them with the encryption key used to create it to add to their own ShadowCrypt settings. After they have done that, any text they view that has been encrypted with that key appears normal to them.
For example, the tweet below is perfectly readable to anyone that has installed ShadowCrypt, because it was encrypted using the extension’s default key for Twitter.com. Multiple keys can be made for any one site and it is easy to choose from them. You might use a different one for each person you wish to e-mail securely, for example.
=?shadowcrypt-4ff95cef5a76149b687f7b54908cd2fa168794e214cedf9ee1a5df1dfec13057?fYtRaaL8maPP6ud0RldZhAEhO1KGy8pCqOMeSuVzldAwNpkB??=— Tom Simonite (@tsimonite) November 4, 2014
ShadowCrypt is still a research project, but independent cryptography researcher Justin Troutman says its design demonstrates a useful new approach to online security.
That’s because it offers a way for people to take control of the security of the data they put into a Web service, he says. More often, most attention is paid to protecting data only as it travels to and from service providers’ servers. “It’s a step toward building a more benign surface for interacting with Web apps,” says Troutman.
A paper on ShadowCrypt, the code for which is open-source, will be presented at the ACM Conference on Computer and Communications Security this week.