which browsers are supported by the web version of passlok?
PassLok runs on webkit-based browsers (Chrome, Safari, Opera) Firefox and its derivatives, and Edge, both PC-based and mobile. It runs on Internet Explorer, but only if loaded from the server; it does not run from a saved file. Chat functions run reliably only on Firefox and Chrome (computer or Android).
is there a difference between versions of passlok?
The web app and the native Android app are the same, except that the Android app has extra code to turn the core html code into a native app.
The web app, accessible from any browser, and the Chrome or Firefox app are essentially the same code, except that the extension code is split into several files because of restrictions imposed by Google and Mozilla. You can inspect the code of all versions from your browser. The version on GitHub is almost the same as the Chrome/Firefox extension.
The Chrome/Firefox version has a nifty additional feature over the other versions. It syncs the local directory between devices running Chrome or Firefox, respectively, so long as the user logs into the same Chrome or Firefox account and uses the same user name in PassLok.
PassLok for Email and PassLok Universal do look very different from the other versions, since they are designed to integrate with email pages, but the encryption algorithms are the same.
The web app, accessible from any browser, and the Chrome or Firefox app are essentially the same code, except that the extension code is split into several files because of restrictions imposed by Google and Mozilla. You can inspect the code of all versions from your browser. The version on GitHub is almost the same as the Chrome/Firefox extension.
The Chrome/Firefox version has a nifty additional feature over the other versions. It syncs the local directory between devices running Chrome or Firefox, respectively, so long as the user logs into the same Chrome or Firefox account and uses the same user name in PassLok.
PassLok for Email and PassLok Universal do look very different from the other versions, since they are designed to integrate with email pages, but the encryption algorithms are the same.
passlok starts by asking me for a Key, and then for my email. Is it making an account somewhere?
Absolutely not. PassLok does not talk to servers, so the Key and the email you are being asked to supply are for encrypting things locally. The email is optional and does not need to be your email, either. The email is stored locally, but the Key is never stored anywhere.
PassLok's true power lies in its ability to lock (encrypt) messages that only the owner of a particular Key can unlock (decrypt). If you want people to send you confidential messages that have been encrypted with PassLok, you need to have a Key in order to decrypt them. So the sooner, the better, and this is why PassLok asks you to come up with a Key before you do anything else.
PassLok for Email refers to your Key as your Password, but it is the same thing. It does not ask you for your email because it gets it directly from the email page.
PassLok's true power lies in its ability to lock (encrypt) messages that only the owner of a particular Key can unlock (decrypt). If you want people to send you confidential messages that have been encrypted with PassLok, you need to have a Key in order to decrypt them. So the sooner, the better, and this is why PassLok asks you to come up with a Key before you do anything else.
PassLok for Email refers to your Key as your Password, but it is the same thing. It does not ask you for your email because it gets it directly from the email page.
what is a key?
A Key (or Password, in PassLok for Email) is a secret piece of text that allows you to decrypt items that have been rendered unreadable in PassLok. There are two kinds of Keys:
- Secret Keys, which only one person knows and doesn't share with anyone. You need a secret Key to do most things.
- Shared Keys, which two or more people know. They are optionally used to encrypt and decrypt messages and files. PassLok for Email does not support this kind.
what is a lock?
A Lock is a public (not secret) string comprising 43 characters (50 characters for ezLoks), plus maybe tags of the form PL**lok (** is the version number) or PL**ezLok. A Lock always matches a Key. Users can encrypt items with a Lock, so that nobody except the person who has the matching Key can decrypt them.
You can always make the Lock from the Key, but it is impossible to retrieve the Key starting from the Lock. This is what makes everything work.
PassLok for Email sends out the sender's Lock at the start of every encrypted message, thereby freeing users from the hassle of maintaining a database of their friends' Locks.
You can always make the Lock from the Key, but it is impossible to retrieve the Key starting from the Lock. This is what makes everything work.
PassLok for Email sends out the sender's Lock at the start of every encrypted message, thereby freeing users from the hassle of maintaining a database of their friends' Locks.
what makes for a good key?
A good Key contains lowercase letters as well as caPitals (not at the start), numb3rs (not at the start or the end, either), and $pecial characters. It is at least 12 characters long. If common words are used, they are misppelllled. It is not a number that can be easily related to the user, such as a birthday or a piece of his/her national ID number.
PassLok has a built-in process to evaluate Key strength, based on an English dictionary and a sophisticated measurement of information entropy. Please take some time coming up with a secret Key that PassLok rates as Medium, Good, or even Great. PassLok compensates for bad Keys by adding extra calculations, so if PassLok seems slow, you can speed it up by choosing a better Key.
PassLok also knows the 1000 most frequently used passwords and their variations, and won't give you any credit for them if you use them as part of your Key.
PassLok has a built-in process to evaluate Key strength, based on an English dictionary and a sophisticated measurement of information entropy. Please take some time coming up with a secret Key that PassLok rates as Medium, Good, or even Great. PassLok compensates for bad Keys by adding extra calculations, so if PassLok seems slow, you can speed it up by choosing a better Key.
PassLok also knows the 1000 most frequently used passwords and their variations, and won't give you any credit for them if you use them as part of your Key.
how many encryption modes does passlok have?
PassLok has six main encryption modes, and most of those have two or more variations. But fear not, since they are easy to distinguish. In most cases, you can tell the encryption mode by the tags at the beginning and end of the messages:
The asymmetric modes must be selected on the Main tab before they are used for encryption (selection is automatic for decryption). Symmetric mode is used automatically if a shared Key is supplied instead of a Lock. Likewise, Pad mode is used automatically if the supplied Key is long enough.
For each of these modes, there are three possible additional variations, which are not necessarily used and are not mutually exclusive:
- Symmetric mode (tags can be anything): items are encrypted with a shared Key, and decrypted with the same shared Key.
- Anonymous mode (tags are PL**msa): items are encrypted with a Lock, and decrypted with the matching secret Key.
- Signed mode (tags are PL**mss): items are encrypted with a Lock and a secret Key, and decrypted with the respective matching Key and matching Lock.
- Read-once mode (tags are PL**mso): as in Signed mode above, but messages become unreadable to everyone as soon as they are unlocked.
- Pad mode (tags are PL**msp): like Symmetric mode, but using a Key that is at least five times longer than the message. This mode ensures perfect secrecy, meaning that no amount of computing power present or future, including quantum computing, can decrypt the message without knowledge of the Key.
- Human mode (tags are PL**msh): is a symmetric cipher that can also be done by hand, with paper and pencil and a ready-made Tabula Recta. Very secure for a human-computable cipher. It is triggered when a three-part key (parts separated by bar characters like this | ) is entered in the Key area.
The asymmetric modes must be selected on the Main tab before they are used for encryption (selection is automatic for decryption). Symmetric mode is used automatically if a shared Key is supplied instead of a Lock. Likewise, Pad mode is used automatically if the supplied Key is long enough.
For each of these modes, there are three possible additional variations, which are not necessarily used and are not mutually exclusive:
- Short mode: the output fits within an SMS or Text message (160 characters) (not supported in PassLok for Email).
- Compatible mode: the output (no length limit) can be decrypted in URSA or SeeOnce, also by yours truly.
- Hidden message mode: there is an additional message, encrypted under a separate Key or Lock, hidden within the encrypted message; this mode is designed to be undetectable.
can I sign documents with passlok?
Yes, you can "seal" a piece of text or encoded file using your secret Key, which results in a sealed item with tags PL**sld. Sealed items are random-looking but they are not encrypted. People can verify your seal if they know the Lock matching the signing Key. If verification is successful the item is retrieved and the result of verification appears as a message.
does passlok work with files?
Files can be loaded as encoded text (extension .txt) or binary (extension .plk). They can be encrypted, decrypted, sealed, split, etc. PassLok can also be directed to output into files.
This function is especially handy for large items, which can be encrypted this way and then attached to an email.
Since mobile OSs impose severe restrictions on file access, this function is unavailable on mobile devices.
This function is especially handy for large items, which can be encrypted this way and then attached to an email.
Since mobile OSs impose severe restrictions on file access, this function is unavailable on mobile devices.
how about texting?
On mobile devices, there is an SMS button, which will open the device's default texting app. Be aware, though, that you must first copy to clipboard whatever you want to text, since webpages are not allowed to access the clipboard directly.
can passlok do real-time chat?
It sure does. It works by first making a "chat invitation" from the Main tab (a radio button, in PassLok for Email), including those recipients that should be able to decrypt the invitation. The invitation encodes the type of chat, an optional short message where you can write the time for the chat and other information, and a random code to set up a private chatroom using a public signaling service to initiate the connection, plus a password that every participant must supply before connection can take place. Once connected, data travels directly between participants without using any servers.
There are three levels of chat, selected at the time of making the invitation: text plus files, with audio, and with video. In the video mode, PassLok chat is a lot like Skype or Google Hangouts, except that it is encrypted end-to-end and no servers are listening, and no one needs to set up an account anywhere. There is also an option to set up a Jitsi video chat, which does not need any accounts, either.
There are three levels of chat, selected at the time of making the invitation: text plus files, with audio, and with video. In the video mode, PassLok chat is a lot like Skype or Google Hangouts, except that it is encrypted end-to-end and no servers are listening, and no one needs to set up an account anywhere. There is also an option to set up a Jitsi video chat, which does not need any accounts, either.
I don't want my messages to look encrypted. Can PassLok help with that?
PassLok can disguise its output as apparently normal text, or hide it within images. You have five different ways to disguise as text, selectable from the Options tab. Image hiding can output in the png and jpg formats, and can incorporate a second hidden message under a separate Key. PassLok for Email and PassLok Universal include only the "letters" and "invisible" text hiding modes, but they have all the image hiding functions.
What is PassLok's greatest weakness, and how do I protect myself against it?
PassLok is based on extremely powerful cryptography and is easy to obtain. PassLok's mirrors are scattered around the world to prevent tampering, but still there is a possibility that someone may have tampered with the specific copy that you are using by hacking into the source, so that you are getting a code that looks and behaves like the genuine PassLok, but where the underlying cryptography has been weakened so others can unlock what you lock or someone else locks for you to read, or impersonate your signature.
You can defend against this by using PassLok only after you have verified its authenticity. The Get PassLok page tells you how to do it by watching a one-minute video and doing a simple operation on the source code. It only takes a minute to verify PassLok Privacy, after which you can save it locally and nobody without direct access to your machine can do anything.
If you are using the Chrome/Firefox app or the Android native versions, or PassLok for Email, code authentication is taken care of by Google or Mozilla, so that code that doesn't match a digital signature added by the store won't be accepted. In other words, if you trust Google or Mozilla, you don't have to worry about this problem.
PassLok's second weakness has to do with a man-in-the-middle posing as your intended recipient. You can prevent this happening as they encrypt messages for you by making a Lock authentication video not unlike the PassLok verification video, as explained in the built-in help. If this is not possible, the PassLok help system also contains instructions on how to use the interlock protocol to reveal whether or not there is a man-in-the-middle for a particular exchange.
You can defend against this by using PassLok only after you have verified its authenticity. The Get PassLok page tells you how to do it by watching a one-minute video and doing a simple operation on the source code. It only takes a minute to verify PassLok Privacy, after which you can save it locally and nobody without direct access to your machine can do anything.
If you are using the Chrome/Firefox app or the Android native versions, or PassLok for Email, code authentication is taken care of by Google or Mozilla, so that code that doesn't match a digital signature added by the store won't be accepted. In other words, if you trust Google or Mozilla, you don't have to worry about this problem.
PassLok's second weakness has to do with a man-in-the-middle posing as your intended recipient. You can prevent this happening as they encrypt messages for you by making a Lock authentication video not unlike the PassLok verification video, as explained in the built-in help. If this is not possible, the PassLok help system also contains instructions on how to use the interlock protocol to reveal whether or not there is a man-in-the-middle for a particular exchange.
But PassLok is written in JavaScript, which makes it inherently unsafe, right?
Not necessarily. JavaScript code is liable to be replaced by malicious code by a method called code injection, but this is only triggered if the original code calls an outside resource or if the user clicks a link within the page. PassLok does all its work client-side, without ever calling an outside resource. The few user-clickable links are to display video tutorials or a list of mirrors, and they always open on a separate tab. Network-based features such as Chat run within iframes without contact with the core PassLok code, or on separate tabs. If you are concerned about code injection, please reload PassLok after clicking any link, which will restore the code to its original state, and turn off all browser extensions before you run PassLok.
The Chrome/Firefox version runs as an extension, and cannot be seen or interfered with by other add-ons and extensions running on the browser. You can get a similar level of security on the web app version if you call it from a security shell such as PageCage. Here are some links: PageCage for Chrome, PageCage for Firefox.
On the other hand, the transparency of JavaScript allows users to inspect the code and make sure there are no malicious operations. You cannot do this with regular compiled code. With compiled programs, you always have to trust that the program is doing what the developer says it is doing. Not so with PassLok.
The Chrome/Firefox version runs as an extension, and cannot be seen or interfered with by other add-ons and extensions running on the browser. You can get a similar level of security on the web app version if you call it from a security shell such as PageCage. Here are some links: PageCage for Chrome, PageCage for Firefox.
On the other hand, the transparency of JavaScript allows users to inspect the code and make sure there are no malicious operations. You cannot do this with regular compiled code. With compiled programs, you always have to trust that the program is doing what the developer says it is doing. Not so with PassLok.
The built-in help system is complete but I still want more. Is there a manual?
PassLok's Help tab is designed around a "How To" model. More detailed documents are in the Articles section within this website. There is a PDF manual, too, and a technical document describing PassLok "under the hood." Both can be accessed through links near the end of PassLok's Help tab.
And, of course, there is the Learn PassLok tab on this website, which takes you to a fully functional copy of PassLok Privacy and a series of lessons on the most essential functions.
Still, there is so much you can do with PassLok that it may be a bit overwhelming at first. You may want to get started with something simpler. For instance:
And, of course, there is the Learn PassLok tab on this website, which takes you to a fully functional copy of PassLok Privacy and a series of lessons on the most essential functions.
Still, there is so much you can do with PassLok that it may be a bit overwhelming at first. You may want to get started with something simpler. For instance:
- URSA is a simplified version of PassLok Privacy, involving only symmetric encryption. You can get info on URSA at http://ursa-app.weebly.com
- SeeOnce takes PassLok's Read-once mode and makes it automatic. Info on SeeOnce is available at http://see-once.weebly.com
why are you doing this?
Because I love people, and I believe their ability to communicate privately is a God-given right. When they exercise it, they are supporting innovation, free exchange of ideas, better government, and then everyone benefits. It's the bad, tyrannical governments throughout history that fear ironclad private communications, because they see enemies everywhere.
Will terrorists and pedophiles be able to use PassLok? Sure, as they also use roads, electricity, and indoor plumbing. But likely they are already using something heavier than PassLok to protect their online communications. It's the little guy on the street who is having his privacy trampled on these days, and this is the guy I am trying to serve.
For the legally minded, PassLok's End User License Agreement explicitly forbids using PassLok to commit crimes. There is also a Canary whose digital death will tell you if I've been forced to introduce changes at variance with this covenant.
Will terrorists and pedophiles be able to use PassLok? Sure, as they also use roads, electricity, and indoor plumbing. But likely they are already using something heavier than PassLok to protect their online communications. It's the little guy on the street who is having his privacy trampled on these days, and this is the guy I am trying to serve.
For the legally minded, PassLok's End User License Agreement explicitly forbids using PassLok to commit crimes. There is also a Canary whose digital death will tell you if I've been forced to introduce changes at variance with this covenant.
who are you?
My name is Francisco Ruiz. I have been a professor at the Illinois Institute of Technology, in Chicago, since 1987. In addition to cryptography, I have interests in energy, transportation, literature, music, photography, and theology. You can read some more about them at my page at IIT, or my personal page at prgomez.com, which also include many other projects on cryptography. Drop me a line at ruiz@iit.edu
