I added the detection function to the chrome extension this week.
The extension can now detect whether a gnocchi-encrypted file or a gnocchi-signed file is received from the server, as long as the server follows the Multipurpose Internet Mail Extensions (MIME) protocol and the Security Multiparts for MIME, multipart/signed and multipart/encrypted (see RFC-1847 for more information).
To be more specific, the extension checks the headers received from a server and determines whether a gnocchi file is received according to the header named "content-type". I selected header checking rather than data checking for the following reasons:
- Although data checking is more reliable since the information in the headers may not correctly record the content type of a file, we can still ensure security in this case. On one hand, suppose a non-gnochhi file is sent with the header declaring it as a gnocchi file. That file will not be decrypted correctly and it is unlikely for a mis-decrypted file to get passed in the verification process. On the other hand, if a gnocchi file is sent with the header declaring it as a non-gnocchi one, the extension just ignores it, and the user can obtain and decrypt that file from other servers.
- It is more efficient to do header checking. Because we do not rely on something like the "gnocchi servers", every sever can serve as the source of a gnocchi file. Thus, the extension checks the headers received upon every url request to detect a gnocchi file. Generally, the size of the headers is quite minimal, while the size of the file data may vary from extremely limited size to extremely large size. Also, headers are received before the data. Having the extension checking the data every time a url request is made may greatly slow down the browser.
- Lastly, most of the servers follow the protocols mentioned above, and the extension works for those servers.
For normal surfing, nothing happens:
A gnocchi is detectd: For next week, I am going to do some research on File IO in javascript. File IO is critical for replacing the encrypted file with the decrypted one. It seems that Google places a lot of restrictions on File IO for extensions, for some security reasons. Admittedly, File IO can be done with html, but I would like to avoid opening a new webpage prompting the user to input the private key. Also, File IO with html cannot completely solve the problem since I need to find a way to turn a local javascript variable recording the decrypted data into a real file.