OpenPGP Signing of HTTP POST – Introducing Enigform

For years different methods for User Authentication and Session Management have been implemented:

  • HTTP Authentication
  • Cookies
  • GET/POST values
  • SSL Certificates
  • A combination of all the above.

Regarding SMTP, e-mail has been digitally signed for a long time now, and it is a standard. Extending its usage to the HTTP protocol sounds like a natural idea.

By having the POST payload («variable=test») signed using an ASCII armored, Clearsign, OpenPGP based procedure, the browsing user can provide Identity Authentication to that payload, thus adding all OpenPGP benefits to the HTTP POST request.

And that’s exactly what I’ve been doing. I’ve created the Enigform Firefox Extension which, when you go to an Enigform-enabled website, will Digitally Sign using for local GnuPG keypair.

Currently the Extension works on any Unix like platform where GnuPG is available (and set-up), but OSX, Solaris and MS Windows compatibility code is under way).

Here you have, the Abstract of the document linked in this post:

This document describes an extension to the HTTP POST [RFC 2616] method that, along with compatible browser and server-Side software, allows the POST contents to be digitally signed, on the client side, and verified, on the server side, by means of an OpenPGP standard [RFC 2440] implementation on both sides. This allows web developers to add a new layer of security to their applications, and if correctly implemented will render data tampering / man in the middle attacks useless. The direct benefit of implementing this extension is that web developers will be able to verify the POST payload signature, potentially avoiding session management, and/or login procedures.

Go to and check out the progress. I’ll have a demo website asap.

Acerca de Buanzo

Io que se!
Esta entrada ha sido publicada en Sin categoría y etiquetada como . Guarda el enlace permanente.