After the success of last year’s GSOC project with Drupal, I thought it would be a great idea to see if we could take what we did there (server-side encryption) and do something similar on the client side. The benefit of this approach is that unencrypted content/data is never seen by the hosting server. So it’s not necessary to trust it to the same degree. This has been a requested feature for some time, and become very popular within the instant-messaging space.
I posted the idea, but wasn’t sure how much traction there would be given the additional complexity. Before long, there were two interested students, Marcin Czarnecki and Tameesh Biswas, who were interested in the project given their interest in cryptography. They both wrote very good proposals, which we in the Drupal community accepted.
With the help of Adam Bergstein (my co-mentor from last year) and Talha Paracha (last year’s student), we were able to mentor both students in working towards completing their projects, even with the added complexity. Unlike last year, users’ passwords couldn’t be used to encrypt anything because the site has access to these. An out-of-band mechanism was necessary to perform the encryption, public-key cryptography. It needed to be in the hands of users themselves instead of being handled implicitly by the server.
I’m delighted to report that both students passed. The community can now take their projects and build upon them. Please review the new Drupal modules at Client-side content encryption (overview) and Client Side File Crypto (overview). If there are any issues, please open tickets in the respective queues.