MeringueMail - Form encryption using JavaScript

Ernest Hammingweight's MeringueMail Page

The Problem: HTML Forms and Confidentiality
This web site is concerned with the problem of encrypting HTML forms when you don't have access to the server hosting your web pages.

HTML forms normally rely on server-side capabilities to process the forms. If you can't run CGI scripts (either because the people hosting your site won't let you or because you don't know how to write such scripts), you are faced with two alternatives:

The first option is to create a form where the "action" field of the form contains a "mailto:" URL. Unfortunately, this has three problems. Firstly, it frequently doesn't work because an e-mail client isn't (properly) installed on the visitor's machine. Secondly, the sender's e-mail address is revealed. Thirdly, the form isn't encrypted for privacy.
The second possibility is to rely on a third-party to provide a CGI to e-mail routine. The form is submitted to the third-party's server using HTTP and they then e-mail you the submitted form. Response-O-Matic and Bravenet provide popular servers that supply this functionality. These servers take care of the first two problems associated with e-mail but they still don't provide any privacy.

To get privacy, one normally uses the HTTPS protocol (HTTP running on top of the Secure Sockets Layer, SSL) to encrypt HTML forms. HTTPS requires that you install an SSL key and a digital certificate on the web server, so HTTPS is not a solution for people without access to the server.

MeringueMail is a collection of routines that offers (some level of) privacy when HTML forms are submitted without relying on server-side software. The security that MeringueMail provides is weaker than that offered by SSL. However, MeringueMail may be acceptable if you absolutely can't run server-side code (see the disclaimer in red at the bottom of this page).

MeringueMail for Encrypting Forms
MeringueMail can encrypt HTML forms for confidentiality by running only (client-side) JavaScript. The routines can encrypt forms submitted using a "mailto:" URL or via Response-O-Matic or Bravenet (and possibly other servers with minor modifications to the JavaScript routines).

MeringueMail consists of two sets of programs:

A collection of JavaScript routines that encrypt an HTML form's contents before the form is posted.
An e-mail client program written in Java that can retrieve the forms from your mail server and decrypt them. The client can also store the decrypted forms in a database.

For a quick tour of these programs, click here.

The JavaScript routines work with Internet Explorer 5 and 6, with Netscape 4.7, with Mozilla 1.1 and with Firefox. They should also be compatible with more recent versions of these browsers but this hasn't been verified experimentally. MeringueMail appears not to work with the Opera browser which seems to have a very slow JavaScript interpreter.

Downloading Meringuemail Version 1.2.4
The following downloads are in .zip files.

The documentation describing MeringueMail. This document explains how to install and use MeringueMail. The document contains some examples. It shows how to generate cryptographic keys, how to export keys for use with your web site and how to retrieve and decrypt the submitted forms.
The JavaScript routines that are used to encrypt the form's contents. These JavaScript routines must be packaged with the form whose contents should be encrypted.
The MeringueMail Client software that may be used to download the posted forms from your mail server and to decrypt their contents. You will need to have a Java Virtual Machine (JVM) installed on your computer to run the client. If you don't have a JVM, you can download one (for Windows, Linux or Solaris) from Sun Microsystems. It's very easy to download and install the JVM.
The source code for the MeringueMail Client software.

Contact & Demonstrations
For a demo of MeringueMail, you can send a message from the following form. If you're just curious to see how MeringueMail encrypts a form, select the "Test message" type. If you need help installing MeringueMail (or experience any other problems), please choose the "Assistance" option. Bug reports can also be submitted from the same form.

The form will be processed by the Bravenet form processor, which means that the form submission won't reveal your e-mail address (unless you choose to supply it).

Some Mildly Technical Stuff

MeringueMail's Cryptography & Security
The cryptographic algorithms used in MeringueMail are all well known and have been studied by serious cryptanalysts; i.e. the cryptography is unlikely to be "snake oil".

"Hybrid" cryptography is used; i.e. asymmetric (also known as public key) encryption is used for key exchange and symmetric crypto is used for data encryption. This is the same principle used by, for example, SSL and PGP. MeringueMail uses 1024-bit or 1536-bit RSA with PKCS#1 (version 1.5) padding for its asymmetric encryption. The ARC4 (alleged RC4) algorithm with a 128-bit key is used as a symmetric cipher.

The RSA keys are generated by the client software using Java's SecureRandom class. The public keys are exported from the client as JavaScript files to be packaged with your form. The MeringueMail client restricts access to the RSA private keys using the PKCS#5 password based encryption scheme.

ARC4 keys are generated by JavaScript routines running in the browsers of visitors to your site. Since JavaScript does not have a strong random number generator, these keys are generated by collecting "noise" from the JavaScript timer and measurements of keyboard and mouse latency. This noise is stored in an "entropy pool" that is used to seed a pseudorandom number generator (PRNG). The PRNG is based on the SHA1PRNG used in Java.

While the cryptography in MeringueMail is almost certainly unbreakable in practice, this strong encryption should not be taken to imply that MeringueMail is "secure". Any software offering encryption that relies entirely on client-side code will not allow for server authentication. Without server authentication, an adversary can launch a "man-in-the-middle" (MITM) attack on your web site. This vulnerability is not unique to MeringueMail but applies to all software that does not provide server authentication. Most SSL solutions provide server authentication, which is why HTTPS is the preferred approach for form encryption. If you believe that MITM attacks are a threat to your web site you should not use MeringueMail.

Database Support
Many web servers run CGI scripts to store the forms posted in a database. It is a little tricky to store an e-mailed form in a database. The obvious solution is to manually capture the data but this is tedious and error-prone. MeringueMail now supports the ability to write decrypted forms to a database.

The routines have been tested with Microsoft Access 2000 and MySQL 4. However, the database functionality should work with other database management systems (DBMSs) that have ODBC drivers or JDBC drivers.

If you don't have a DBMS, you should consider downloading the MySQL database. It's excellent which is why it's downloaded 29,000 times per day.

You can get an overview of how to use a database to store MeringueMails here.

Frequently Asked Question: Can MeringueMail be used with Outlook?
(This question has only been asked twice but "frequently" is a relative term.)

Version 1.2.1 of the MeringueMail client simplified the process of using MeringueMail with another e-mail client. The procedure involves exporting the message from your existing mail client and importing it into MeringueMail. The procedure is described in section 13 of the documentation.

Release history
Version 1.0 (October 2002): Initial release. Supported form submission via e-mail and Response-O-Matic.

Version 1.1 (March 2003): Added support for the BraveNet form processor. The name of form was submitted with the form. Fixed form rendering bugs in the mail client.

Version 1.2 (May 2003): Added support for character sets other than Latin-1 ( ISO8859-1), any character in the Unicode character set can be encrypted. Database functionality was added simplifying the process of storing a decrypted form in a database.

Version 1.2.1 (May 2003): Added an option to the MeringueMail client to allow messages to be imported from other mail clients such as Outlook and Outlook Express.

Version 1.2.2 (August 2003): Minor enhancements to the database code and code for recovering if the file containing the MeringueMails becomes corrupted.

Version 1.2.3 (November 2003): The dialog box for logging onto a mail server was improved.

Version 1.2.4 (December 2004): Very minor change concerned with deleting MeringueMails.

Important
The best way to submit confidential information in a form is by means of HTTPS (HTTP over SSL). MeringueMail should not be used as an alternative to a well-designed and extensively analysed protocol like SSL. If you want to send secure e-mail you should consider PGP or use a mail client that supports S/MIME (the latter requires that you get a digital certificate from a certification authority).

At the risk of stating the obvious, using MeringueMail to encrypt sensitive personal information such as credit card details would be grossly irresponsible.