This page sends
encrypted email that automatically decrypts itself when the recipient types in
the passphrase. This is automatic if the sender uses Netscape and the recipient
uses Netscape or Internet Explorerer as a mail reader. The email is encrypted
with ARCFOUR, which is generally considered secure.
Enter the email address of the recipient, the subject for the email, the
secret passphrase (twice), and the message that is to be encrypted and sent.
Then click "email to". The recipient doesn't need a decryption program. The
email will automatically decrypt itself if the sender used Netscape and the
recipient used Netscape or Microsoft Internet Explorer as a mail reader.
If the sender doesn't have Netscape, click "email to" without entering any
email address, and the encrypted message will appear in a new window. That
message can be cut and pasted into any email program. If the recipient doesn't
use Netscape or MSIE for email, the recipient should save it to a file named
EMAIL.HTML, and load it into a browser to read it.
If the two passphrases don't match, then both are erased, and no email is
Netscape warns that the email will be unencrypted, but it is wrong.
Save this page to disk and edit it to see the actual code doing the
encryption and sending the email.
The encryption is done locally and is never sent to the server,
so the server cannot see the message, and cannot tell who is being sent the
email. Of course the server could modify this page to eavesdrop, but if you know
sure that didn't happen. An email server could also attack the message that is created,
modifying it capture the recipient's passphrase as it's entered. The message should
at least be secure against passive eavesdropping.
This encryption program uses ARCFOUR, implemented in
ASCII). The key is the concatenation of IV + passphrase. The first 256 bytes of
stream are dropped. If you create a good passphrase,
it will be impossible to break this through brute force. At this time, there is
no publically-known way to break this faster than brute force.
For more information about ARCFOUR, see section 17.1 of Applied
Cryptography, 2nd ed., by Bruce Schneier. He uses the trademarked name
for the algorithm, derivable from "ARCFOUR" by dropping the "A" and converting
"FOUR" to a digit.
NOTE: This page contains only open-source crypto code, and the BXA was
notified of its existence in accord with this EAR amendment
(p. 2, last column).