Enigform is a Mozilla Firefox extension that provides you the ability to digitally sign HTTP GET and POST requests, even those generated via AJAX calls. The project implements the mechanism described in the white paper entitled OpenPGP based Identity and Data Authentication for HTTP POST payload by Arturo Buanzo Busleiman. Okay, me.
This extension is focused on adding an extra layer of security to the payload of HTTP POST requests. There is also a great extension called Enigmail that enhances Mozilla Thunderbird with PGP capabilities. You can check out Enigmail at its Mozdev Page.
For years different methods for User Authentication and Session Management have been implemented:
· HTTP Authentication
· GET/POST values
· SSL Certificates
· A combination of all the above.
Regarding SMTP, e-mail has been digitally signed for a long time now, and it is a standard. Extending its usage to the HTTP protocol sounded like a natural idea, specially at 3am when I woke up with a OpenPGP-signed HTTP POST request in my head.
By having the GET query string and the POST payload ("variable=test") signed using an ASCII armored, Clearsign, OpenPGP based procedure, the browsing user can provide Identity and Data Authentication to that payload, thus adding all OpenPGP benefits to the HTTP protocol.
This allows web developers to add a new layer of security to their applications, and if correctly implemented will render man in the middle attacks useless. The direct benefit of implementing this extension is that web developers will be able to verify the payload's signature, potentially avoiding obscure session management, and/or complicated login procedures.
For example, Highly Secure Home Banking sites could be created by using Enigform + some simple server side code.
· Mozilla Firefox
What's New in This Release: [ read full changelog ]