759688 - Implement support for the "http+aes" scheme

Status: RESOLVED WONTFIX

(Core :: Networking, enhancement)

Description

[Johannes Roith]

The WHATWG spec since March 2012 contains a suggested scheme "http+aes". (See http://www.whatwg.org/specs/web-apps/current-work/multipage/iana.html#http+aes-scheme .)

This seems to be very useful and Firefox should implement it, particularly for storage services like Dropbox which could deliver files that are encrypted on Amazon S3 directly in a web interface.

Furthermore similiar services could be implemented that provide full encryption of all data on the server only decrypting all data only the client. (Unlike Dropbox which also stores the keys on the server). Currently such services are not practical, because in addition to platform-specific and mobile software implementations, users usually want to have a web interface as well.

(Some may argue that "http+aes" does not provide secure client-side encryption, e.g. when keys are derived from a user-provieded password that is not sent to the server, because using a web interface implies trusting the Javascript supplied by the server. This is true, but still the situation is vastly improved: Users never accessing a storage service through a web interface are now fully protected which was impossible before as just providing the web interface required storing keys on the server. Furthermore if the service provider would in fact add a backdoor to its Javascript this would at least in principle be detectable by a user, particularly if such code is delivered to most clients. Browser extensions could further monitor scripts of those sites for changes.)

Comment 1

[Patrick McManus [:mcmanus]]

no new schemes.