mozdev.org

enigform

resources: Home Web Forum Mailing List Installation Changelog Source Code Members Bugs Screenshots
Main Links

Do you like this project? Me too. Would you consider a donation?

Welcome to Enigform. Welcome to a new kind of HTTP Authentication!

Enigform is a Mozilla Firefox extension that provides you the ability to digitally sign HTTP requests, even those generated via AJAX calls. It implements the mechanism described in the white paper entitled OpenPGP Signing for HTTP by Arturo Buanzo Busleiman.

You can obtain support via our exclusive #enigform channel at the Buanzo IRC Network. Just /server to irc.buanzo.org!

This extension is focused on adding an extra layer of security to the HTTP protocol. There is also a great extension called Enigmail that enhances Mozilla Thunderbird with PGP capabilities. You can check out Enigmail at its Mozdev Page.

There is also another GnuPG extension for Firefox, which brings an interface to encrypt, decrypt, sign or verify the signature of a text in any web page using GnuPG. It is called FireGPG and it is quite cool!

Introduction

For years different methods for User Authentication and Session Management have been implemented:

Regarding SMTP, e-mail has been digitally signed for a long time now, and it is a standard. Extending its usage to the HTTP protocol sounded like a natural idea, specially at 3am when I woke up with a OpenPGP-signed HTTP POST request in my head.

By having the GET query string and the POST payload ("variable=test") signed using an ASCII armored, Clearsign, OpenPGP based procedure, the browsing user can provide Identity and Data Authentication to that payload, thus adding all OpenPGP benefits to the HTTP protocol.

This allows web developers to add a new layer of security to their applications, and if correctly implemented will render man in the middle attacks useless. The direct benefit of implementing this extension is that web developers will be able to verify the payload's signature, potentially avoiding obscure session management, and/or complicated login procedures.

For example, Highly Secure Home Banking sites could be created by using Enigform + some simple server side code, or by using the Apache module mod_auth_openpgp, that can verify the requests automagically and which, in combination with mod_access, can allow/reject requests.

Enigform Developers TEST site

The NEW Enigform Test site is a simple PHP script that allows users to test Enigform functionality for GET and POST, while showing lots of potentially useful debugging information. Although it does not have an "import key" feature, it is a great resource for developers.

Enigform Demo Site - Smutty Based

Smutty is the first PHP MVC Framework that supports Enigform. It's also a WONDERFUL framework, that I really like. Rod, the author, has created a demo of an Enigform-based login procedure. So, if you want to try it out: configure your GnuPG (that is, create a key pair), Install Enigform (make sure it is version 0.7.6!), then visit http://smutty.pu-gh.com/demo/enigform.

Example Server-Side PHP Code

Currently, only the Smutty PHP MVC Framework supports Enigform. If you plan on deploying a site that supports this new kind of authentication and integrity system, you can also check out the Smutty API for the Smutty_GPG Class and derivatives.

Additionally, you can download the Enigform Test Site PHP script directly from this location

The Enigform site at Mozdev.org has been accessed Visitor Counter by Digits times (since the counter is running!)

The enigform project can be contacted through the mailing list or the member list.
Copyright © 2000-2009. All rights reserved. Terms of Use & Privacy Policy.