FireGPG Report

Henry Hertz Hobbit hhhobbit at securemecca.net
Fri Jun 22 10:56:03 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

FireGPG:
========

Here is the information on FireGPG which primarily does
INLINE rather than OpenPGP/MIME encryption and signing:

http://firegpg.tuxfamily.org/

FireGPG works well for  INLINE encrypting and decrypting.
You can use FireGPG to send / receive GnuPG encrypted
messages.  Further, despite them focusing on using
GMail it, FireGPG will also work in sending and receiving
encrypted messages with AOL / Netscape, HotMail, and Yahoo
WebMail services.  Read on ONLY if you want to help with
the Signing (also INLINE) which has problems.

I have done some extensive testing of FireGPG.  Here are the
results of the tests (the files will be there until the end
of the present month):

http://www.securemecca.com/ FireGPG.zip
http://www.securemecca.com/AOL_FireGPG_SignTest.zip

SHA1 sums of files:
- -------------------
a293f08fb3821f79ed42c2ae6dea50cfe90e98ce  AOL_FireGPG_SignTest.zip
47898a296c797ac1f014ac8442265c0746f348a1  FireGPG.zip

Basically, I had no ends of grief in signing.  That was both
in sending and verifying.  I was using FireGPG 0.3.3 to do
the tests.  The commands used to do the signing in 0.4.2.1
are the same as they were in 0.3.3.  The main changes from
0.3.3. to 0.4.2.1 are localization. I can't see anything that
they are doing wrong. Here is the main portion of the signing
code:

putIntoFile(tmpPASS, password); // DON'T MOVE THIS LINE !
try { runCommand(tmpRun,
   '' + this.getGPGCommand() + '' +  " " + tmpStdOut +
   " --quiet --no-tty --no-verbose --status-fd 1 --armor --batch" +
   " --default-key " + keyID +
   " --output " + tmpOutput +
   " --passphrase-file " + tmpPASS + "" +
           getGPGCommentArgument() + getGPGAgentArgument() +
   " --clearsign " + tmpInput); } catch (e) { }
removeFile(tmpPASS);  // DON'T MOVE THIS LINE !

You can find the plugin on 'nix with:

$ find ~/.mozilla/firefox -type f -name firegpg.jar -print

After you copy the file some place else and unzip it using unzip
or your choice of zip program, the files containing the commands
are:

content/cgpglin.js	Linux / Unix  (all tests done w. Linux)
content/cgpgwin.js	Windows

I don't like closed sections so, I changed the VIM directives
at the end of the file using MicroEMACS to:

// vim:ai:sw=4:ts=4:

Your mileage will vary, and if you don't use VIM, it won't
matter.  After that change in all the files I used vim to look
at the files.

The baseline was Thunderbird where all messages signed in
Thunderbird verified in Thunderbird, and all messages encrypted
in Thunderbird decrypted in Thunderbird.

In all WebMail services signing, verifying, encrypting and
decrypting, were always done by selecting the text and then
doing a ^C despite X copying automatically.  But it seemed
to make no difference whether I did that or not.

FINAL RESULTS:
==============
SIGNING /VERIFYING can only be INLINE. But the results are all
over the wall and you can't trust them! The snatching of the text
is fine, but I suspect that after the message is signed, the webmail
mucks around with the spacing characters or plays around with
some hidden characters.  But if it was hidden characters I could
never see them in the file after saving from Evolution which makes
no attempt to interpret INLINE signed or encrypted messages or other
strange extended characters. All of my tests were done with line
lengths of approximately 64 characters to make sure I didn't have
forced wraps, but I think I got a few of them anyway, primarily with
HotMail. I don't think there is anything that they can do about
the signing failure but if the rest of you can look at the code
maybe you can deduce what is going wrong.  I couldn't deduce a pattern
of when it worked and when it failed for me to try to zero in on what
was going wrong.  It was extremely exasperating to get one result on
the command line and a different one in the WebMail or Thunderbird
I saved the message from.  I shifted to SHA1 for some additional
tests with signing and it made NO DIFFERENCE.  Results were still
all over the wall.  I didn't save those tests.

ENCRYPTION is INLINE but it ALWAYS worked for me!  If you are using
Mac's Mail App, Evolution, or some other mail client that only
understands OpenPGP/MIME encryption, then you will have to save
the message to a file and decrypt it manually.  I was able to get
FireGPG to decrypt on OpenPGP/MIME encrypted message from Thunderbird
but it only did it once so I would stick with INLINE.

WARNINGS:  Always be sure to clean your buffer cache after using
FireGPG.  Do a Tools -> Clear Private Data in both closing the
browser and the next time you open the browser. The authors are
native French speakers (one lives in Morocco) so if you want to
converse with them individually by all means shift to Francais
and they will appreciate it and you will get much faster results
communication.

HHH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGe46jr3QZv1upb6wRCvpbAKCGp/wKUrWmtYYZL3fAYwvfdG20MQCfZ7gw
TBZOq4/wMZWXL2GSuJF5ki4=
=PJVh
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list