Secure messaging in the browser

By observing news and public discussions I feel that there is a growing awareness of data privacy and an increasing demand for secure person-to-person communication. In order to address my communication needs, I plugged together a few Javascript libraries and started the Webencryption [1] project on Github.

What is Webencryption?

Webencryption is a rather crude message encryption and decryption web application that runs in the browser from the local filesystem.

While there are allegedly secure messaging applications, it bothers me that they come packaged as binary programmes which I cannot inspect with reasonable effort and that their network traffic is routed through the manufacturers’ servers. I wanted a secure messaging solution that is simple enough for me to understand, that does not require compilation into unauditable binaries and that does not depend on any servers not operated by me.

Building on those requirements one would substitute “I” and “me” with anyone: anyone should be able to understand and audit the solution and it should not depend on binary packages or servers.

Some goals and features:

  • It is meant to be used by people with medium technical affinity
  • It can be run on a computer with a browser in offline mode
  • It does not require network connectivity
  • It can be run from the local file system
  • It is an encryption system based on RSA
  • It is open source
  • It is run directly from source

How does it work?

Webencryption is a set of HTML and Javascript files that are downloaded to a computer’s filesystem and run from there in a browser. There is no need for a package manager or build tool like npm or nodejs.

It encrypts and decrypts text messages with RSA but does not send them anywhere, as this would fail the requirement of avoiding network communication. Conversation participants have to rely on classical communication means like a chat messenger or email to send each other the encrypted messages; Webencryption will only en/decrypt those messages.

The private and public RSA keys are derived from a secret passphrase and are not stored in Webencryption; users have to take care of that.


[1] Webencryption


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.