Using scramble as a component for GlobaLeaks for OpenPGP messaging?

[fpietrosanti]

Hi,

at GlobaLeaks (http://github.com/globaleaks/globaleaks) we are discussing about implementing secure messaging between anonymous whistleblowers and journalists using OpenPGP.js . https://docs.google.com/document/d/1L8yVgarISeIxIvsFgoT3cF1MYzhEa6YyZzOAsAvR-yY/edit?usp=sharing

I see that scramble project would be very interesting if we could use it / integrate it as a software component for the client-component and to re-use/integrate it in our Python/Twisted REST backend.

What do you think that would be something doable or it would require a complete, heavy refactor of scramble architecture to do so?

[dcposch]

I don't necessarily agree with GlobaLeaks, but you're welcome to use Scramble for whatever purpose you'd like. I want Scramble to be federated--it's great if organizations run their own secure email servers.

I recommend running the Scramble server it as a separate service. I don't quite know what you mean by "integrate". Porting the backend to Python would certainly be a lot of work for you, and the benefit is unclear.

There's a new major update coming very soon---if you want to see where Scramble is now and evaluate whether it's useful to your project, I recommend making a test account on the staging server, test.scramble.io . (Being a staging server, it's plain HTTP, and the account may be wiped at any time---so certainly don't use it for any real purpose---but it'll let you send encrypted email to yourself or another test account, unencrypted email to/from an outside address, and try out the features.)

On Sun, Oct 27, 2013 at 4:33 AM, Fabio (naif) Pietrosanti < notifications@github.com> wrote:

Hi,

at GlobaLeaks (http://github.com/globaleaks/globaleakshttps://github.com/globaleaks/globaleaks) we are discussing about implementing secure messaging between anonymous whistleblowers and journalists using OpenPGP.js .

https://docs.google.com/document/d/1L8yVgarISeIxIvsFgoT3cF1MYzhEa6YyZzOAsAvR-yY/edit?usp=sharing

I see that scramble project would be very interesting if we could use it / integrate it as a software component for the client-component and to re-use/integrate it in our Python/Twisted REST backend.

What do you think that would be something doable or it would require a complete, heavy refactor of scramble architecture to do so?

— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/42 .

[jaekwon]

Why do you need a custom backend at all?

When it comes to securing the contents of the communication, Scramble is pretty good. It's better than what is offered by SecureDrop, from what I could gather. It should be possible to do secure messaging between any two parties using Scramble if the whistleblower uses an anonymous account connected through Tor, using a secure OS, etc.

There is the need to secure the user's computer from malware in attached documents, but you do that with an airgapped computer, not with special server code.

If you guys are open to the idea of it, perhaps you should just fork Scramble and make it work for you. I can certainly help with attachment support, etc. I do believe major journalist organizations will be running their own Scramble servers in the not-too-distant future :)

[fpietrosanti]

@jaekwon in the GlobaLeaks design the application have to be self-contained and installed as a single piece of software to reduce the entrance barrier and increase adoption. So, because we will have to do a client-side encrypted messaging integrated with the GlobaLeaks backend, and scramble is a client-side encrypted messaging system, i was wondering how much scramble can be-reused as a technological component:

• if it does provide documented backend API that we need to implement on our python backend
• if it does provide some "well abstracted" JS client-side component that we can re-use

Our target is to implement the specification like described before, but i see a lot of stuff that could be done by leveraging "piece of scramble software" without having to goes reinventing or rewriting many piece of code .

[jaekwon]

The Scramble server + client as a gestalt cannot be picked apart and integrated into other systems. Of course you can write a python backend that interfaces with the mysql backend database, but there is no server-side API at the moment, nor any planned. You can also utilize the Scramble notary system (https://github.com/dcposch/scramble/wiki/Name-Resolution-&-Public-Key-Fetching) but I don't think that is what you're looking for.

If you are looking to do client-side encryption on top of an existing backend architecture for GlobalLeaks, then what you want to use is bare openpgp.js. You can look at our static/js/app.js code for hints on how to use it.

But it does sound like there will be much duplicate work between GlobalLeak's system and Scramble's system. Scramble is not just a client, it is a client + many-servers federated architecture. Supporting journalists and whistleblowers is just part of what Scramble offers as a secure communication system. In other words, Scramble by itself is meant to be sufficient for journalists and whistleblowers when used in conjunction with a secure hardware/operating-system/browser stack & with network obfuscation like Tor.