Q1: How secure is it?

Nothing is 100% secure, but Epadlock provides a good basis and a usable framework and balances usability with security. Modern browsers like Firefox and Chrome handle large javascript computations very well and reasonably quickly.

The padlock and key is created using a RSA 2048-bit private/public key style system, the current standard. This can be decrypted by someone using a powerful computer but it will take some time to do. The Epadlocks and keys are randomized, so it is very unlikely to get two padlocks and keys the same. The main threat to any encryption is the so called 'Man in the Middle' attack where someone monitors the transmission and changes the files so that one party uses a key created by the attacker, thus nullifying its effectiveness.

The usual way to solve this is the SSL 'secure' link between 2 PCs. You can't do that with email as the files have to pass through multiple machines - so Epadlock uses a variant private/public key system. The Epadlock is created by you as part of a SSL secured session with our server. So the only time the padlock is in the open is when you email to the other person, so it could be intercepted and changed by 'A man in the middle'.

The main security is in anonymity - your information has been turned into the type of code you might see in the header of the email, rather than plain text. So the person attempting to read your information has first to find out what is the actual code in the email containing your information and how to do it (there should be no reference to Epadlock in the return email), then they have to decrypt it.

Epadlock provides a simple level of security for your personal information, but if you feel that your email transmissions are being targeted then you need to consider very powerful secure encryption for the entire email transaction.

You can read more about encryption techniques on Wikipedia HERE


Q2: How can I trust you?

A good question for any encryption product. If it is a program and you can't read the code, how do you know it is not doing something else behind the scenes? For Epadlock you don't need to trust me.

The system creates two html files which you can open up and read the source code. You can see everything that it does - in fact they are all the same apart from the key codes (the combination so to speak). This is created using javascript on your computer, the code for which comes from opensource publicly available javascript libraries which are described in the licences for the software. Both the padlock and key files are destroyed on the server after the zip file is created and this follows soon after you have downloaded it. I have no idea of the email addresses of the sender or recipient, thus I have no way of knowing when and where the padlock will be used - thus I can no more decrypt your data than someone attempting to steal it. The whole process is simple and free.


Q3: Why don't I just use something like PGP?

You should if you are concerned about the security of your email information. There are free versions available for good email clients. Unfortunately, you can't make someone emailing you use it. The Epadlock makes it easy for you to get information sent to you kept away from prying eyes. You could use a pair of padlocks/keys to protect an email 'conversation' by getting the other party to download their own Epadlock. Download resources for OpenPGP HERE.


Q4: Will it work on a MAC or Linux?

Yes, it should. The only issue will be the speed of processor. The encryption routine requires computing power - I have successfuly run it on a Pentium 3, 1Ghz processor. It is designed to be universal as it runs on any javascript enabled browser. It is being tested on a range of operating systems. Currently it has been tested on Windows 7, Linux, MAC. Android machines can use the files but you need to be able to open zip files to download the original padlock and key file as a zip archive and this can be problematic on Android (you need to install an app).


Q5: Which browsers does it work on?

It is designed to be universal as it runs on any javascript enabled browser. It is being tested on a range of browsers all the time.


Q6: Help it doesn't work for me?

Sorry to hear that. Contact us with details of the problem and I will try to find out why for you. In the meantime, make sure you are not blocking javascript as it will not work without this. Check the settings of your browser and make sure Firefox addons like 'Noscript' are not blocking the javascript.


Q7: Can I re-use the padlock and key?

Yes. The padlock/key is just as secure each time it is used. Of course, like any security system, any repetition in theory makes decryption easier (that's one of the ways the WWII Enigma was broken) but in practical terms, unless you believe that you are being specifically monitored, re-using the key is not a major issue. If you want to use different padlocks for different people you can rename the padlock and key files. The important thing is to keep the 'keyfile' secure, because with this the code can be decrypted to plaintext - but this means keeping your PC secure.


Q8: Why is it free?

I created the e-padlock for my own personal use. I can't guarantee the security (because no-one can guarantee security), but I am offering it on the internet as a way to help other people keep their information safe. If you find it useful and want to donate towards the cost of development and server maintenance you can do so HERE


Q9: Why is it written in HTML - all the source is readable?

My objective was usable security.

I could have used a program which runs on 2 PCs, but it would need to have lots of variants for different operating systems and tested to ensure anti-virus or other programs didn't interfere with it. I wanted it to work on as many machines as possible, so if you have a browser it should work. I also wanted a single file, that didn't need installing - all the style information and javascript is included in the file (all the images are created in HTML too).

In addition, you wouldn't be able to see what the code does - quite reasonably that might make you think twice about using it, just in case it did something else with your information (after all some unscrupulous people have written anti-virus programs that have installed viruses).

Yes, someone can read the javascript and know how it works, but they still need to go through all the alternatives to decrypt the cypher text from the padlock. That is assuming they know you have used Epadlock to encrypt it.

To quote Bruce Schneier, Crypto-Gram: "Client side encryption is a must have for developing host proof applications: There must be no knowledge of the clear text data at the server side, all data is encrypted prior to being submitted to the server. Client side encryption is mandatory for protecting the privacy of the users. "Don't trust us, check our source code!"

"As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice." 15th September 1999).


Q10: How much data can I send encrypted?

Currently the maximum is 180 characters. The system will only allow this amount at the moment to keep it quick. The main restriction is processing power. The longer the plaintext, so the longer the cyphertext and the longer required for encryption and decryption. It was designed for codes, passwords and short text.


Q11: What do the numbers in the filename mean?

In order for the server to manage the process of creating the unique padlock and key files it creates a unique name for each zip file. The number is composed of the IP address of the computer requesting the file and the time and date of creation. This avoids possible duplicates. You can change the name of the padlock and key files to anything you want, just keep the HTML extension so it will be opened in a browser.


Q12: How can I make Epadlock more secure?

The best way is to get the padlock to the sender via an alternative to email, that way the Epadlock combination details will never be exposed to the internet. But, normally that is impractical as if you could do this you could send the data that way too!

The Epadlock uses a RSA standard of 2048-bit keys that they claim are sufficient until 2030. More here. However the main strength of the system is not the key size, but anonymity. In order to break the code you need to know that it was created with Epadlock and the cyphertext supplied has not been changed in any way. You can improve security by adding pre-agreed, additional characters to the cyphertext when it is sent, which you can remove before de-cyphering. Alternatively, you can encrypt the cyphertext twice using 2 Epadlocks. In any event you will of course need to make sure your recipient understands the process.