Phillip Pearson - web + electronics notes

tech notes and web hackery from a new zealander who was vaguely useful on the web back in 2002 (see: python community server, the blogging ecosystem, the new zealand coffee review, the internet topic exchange).


Enter the Greasemonkey

Joe Gregorio wins buzzword bingo with his latest article: Secure RSS Syndication.

Basically it's a Greasemonkey script that decrypts bits of Blowfish-encrypted HTML it sees in your browser. So not just something to use for encrypted feeds - it will work just fine for any content that's been encrypted just for you. But I guess it's an article, and there isn't any XML involved if you don't mention syndication :-)

As Joe says:

One observation is worthwhile at this point. Nothing about this Greasemonkey script is particular to syndication. In fact, you could use this technique to publish and read encrypted content on the Web regardless of whether it was included in a syndication feed.

This is incredibly useful, as it really nicely solves the problem of moving really sensitive data through totally untrusted channels. I don't know how Blowfish works - whether it's a public-and-private-key-type cipher, or what - but it's conceivable that a bank website which already sends sensitive information to you could also send you a key to load into your browser and consequently decrypt information in an RSS feed also provided by the bank.

Although... there's a vulnerability here in that somebody could archive your RSS feed for many years until the cipher gets broken, then they'd have access to all your old bank records. Hmm. So maybe not.

How about if the encrypted content wasn't the actual data, but a link to something that would produce something keyed to your current key? The link could be configured to die after a week or so, so somebody cracking your key years later would just get a bunch of useless URLs. Hmm...