How To Achieve True Privacy On The Web: DOMCrypt

The Internet was invented so that data could be decentralized and liberated. Well, so much for that idea. With the rise of services such as Facebook and Twitter we are back to the original mainframe problem: everything is stored and controlled by a central authority. Ironically, today's "to the cloud" meme is making us depend on central authorities even more.

So what about data privacy? In this centralized model we go about our online lives constantly posting data to all these different servers that we trust. If you send email through Gmail then you're trusting Google with a lot of personal information. This is risky! Snafus are bound to happen.

Think for a minute about how you create Web data. You type it into a form on a web page then click the submit button (which POSTs to a server). Services like Gmail are smart enough to always use SSL for this communication and others will learn soon enough (dude, where's my SSL?). SSL fixes the snooping problem but even then you are still sending the data in raw form to a single service that you trust.

Why not encrypt everything in your browser before sending it anywhere else? As Robert Accetturra writes this is how Firefox's sync service works and it makes a lot of sense. All your personal data (bookmarks, browsing history, etc) is encrypted locally then sent up to Mozilla's sync servers where no one can decipher it but you.

Can we have this? The answer is yes! A colleague of mine, David Dahl, has been thinking about this exact problem and has created an experimental Firefox addon called DOMCrypt that exposes native (read: fast) cryptography functions that can be called from any website in JavaScript. The catch is that the website will only work in Firefox when the addon is installed so consider this a proof of concept. Check out the demo here. Most other browsers also have native cryptography baked in so it would probably be super easy to expose a similar crypto API. Spread the word and make some noise. Data privacy is pretty important and with a little help from vendors, it's within our reach. DOMCrypt will be available on soon but you can install the XPI from the demo page above.