Just recently FireGPG released their 0.5 version which along with other bug fixes and feature additions, includes the ability to automatically reading inline GPG/PGP key blocks from websites. This perfectly fits into an idea I was thinking about a few weeks ago.

UPDATE 7/14/08: FireGPG's newest version supports symmetrical encryption and line breaks making it even easier to do what I'm talking about.

The idea is that using FireGPG you can encrypt your posts to public web pages, forums, wikis, and even MySpace (if you still use that) so that only you, or whomever possesses the private key can decrypt.

For example, say you have a very private message that you and your friend would like to share but you want to make sure no one can read it while you are writing it and that no one can read it after you've posted it. You generate a key for your posts and then you send your friend the private key, and she decrypts it but no one else can. Not even the owner of the website.

Why would you want to do this?

1. It's an alternative to SSL if you don't have the ability to set it up (forums, blog comments) [There are other alternatives I've seen done with Javascript but most of them site security flaws]
2. Way of keeping private posts private even from server owners
3. Encryption is fun!

Why would you not do this

This is a last stretch effort and by no means is it a perfect solution. In fact, the public key encryption just does not fit in with this but I haven't found many general encryption plug-ins to encrypt a message with great confidence. Plus it doesn't give you control of revoking the key if it gets stolen. Do not use this as a serious solution but an example of what someone COULD do.

One of the requests at FireGPG is that they can support symmetric encryption which would work much better in this situation. Until then, this still works pretty well.

Install GPG

http://www.gnupg.org/download/index.en.html

I'm really not going to go through the process of installing on your system because it's very easy. Use the site's documentation.

Generate a GPG Key For Your Usage

You can always use your GUI of choice to do this but from command line here's the easiest way: gpg --gen-key

Follow through the steps to create your key.

Install FireGPG

Install FireGPG from here - http://getfiregpg.org/install.html

Encrypt Your Posts:

After FireGPG is installed, you now have a FireGPG menu option when you select a block of text and right-click. So the process is this:

1. Write the post or whatever you're sending to a site
2. Select the entire text before submitting
3. Right click and select the FireGPG menu option
4. Click Encrypt
5. Select the key that you created above and click OK

This will create an encrypted version of your post ready for you to submit.

Decrypting Websites

When you want to view an encrypted post, FireGPG automatically sees it and prompts you to decrypt it. If you have tons and tons of posts, it's going to be very annoying to decrypt every message but it woudl work.

Granting Access

The last part is just giving the private key to those who should be able to see your posts. One obvious way would be this:

1. export the private key
2. encrypt it with your friend's public key
3. email it to him or her

External Links:

http://getfiregpg.org/ - FireGPG Firefox plugin
http://www.gnupg.org/ - GPG website
http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html - GPG HOWTO manuals

One of my clients had the problem of users being excessively prompted to update Firefox

A new version of Firefox is available:
It is strongly recommended that you upgrade Firefox as soon as possible

It then shows the "Download and Install Now" button but eventually fails when a normal users runs it because they are not local admins. This prompt repeats over and over until IT gets a phone call about how they hate Firefox and are going to go back to using IE.

It's actually as simple as you may think. If you change "C:\Program Files\Mozilla Firefox" to allow "YOURDOMAIN\Domain Users" write access, a normal user can update Firefox.

You can go around to each workstation but where is the fun in that? The builtin program "cacls" with the help of PSExec will let you update all of the computers on a site. This idea was put together by my friend with a little tweaking on my part. Basically you just create a list of computers, and then run the command remotely on each one.

Create a List of Computers

You can do this however you'd like but for me I like to export a list of computers them from ADUC. This will only help if your computers are in the same folder or OU. You could always just write down the names of the computers but that's boring.

1. Open Active Directory Users and Computers
2. From the menu bar choose View > Add / Remove Columns
3. Remove all columns that are not Name [Type, Description] and click OK
4. Open the folder or OU that contains the computers you would like to update
5. Right-click on the folder or OU and choose "Export List..."
6. Save the file as "computer_list.txt" somewhere logical to you

Create the Script

Here is the entire command all together. Hopefully it's obvious to change the YOURDOMAIN\ADMIN_ACCOUNT to an account that is a member of the Domain Admins group and change YOURDOMAIN\Domain Users to whatever your domain is.

psexec @computer_list.txt -u YOURDOMAIN\ADMIN_ACCOUNT cacls “%SYSTEMDRIVE%\Program Files\Mozilla Firefox” /E /G “YOURDOMAIN\Domain Users”:W

You will want to put this into a batch file because you'll have to run it again or on a regular basis if some of your computers are turned off or not on the network when you're running the script.

External Links

http://woodruffrc.com/allow-non-admin-users-to-update-firefox.html/trackback - link to my friend's website who actually did the testing and put everything together