Crypt3TR by TBDwarf

Crypt3TR is an open source Firefox extension that allows you to encrypt and decrypt text directly in your browser, on virtually any site: webmails, forums, social networks, web messengers, wikis, forms…

🎯 Goal: make message encryption simple, fast, and accessible, without complexity or public/private key management.

✨ Main features:

• 🔒 100% client-side encryption / decryption
  -- Everything happens in your browser, without an intermediary server.
  -- Pages never see the plaintext: only [[crypt3tr]]…[[/crypt3tr]] blocks.
• 🖱️ Unified "Crypt3TR" contextual menu
  -- Right-click in a text area → Crypt3TR Encryption.
  -- Opens a secure editor (within an extension iframe) to write or re-edit the message.
  -- Upon return, only the encrypted text is inserted into the page (never the plaintext).
• 👁️ Decrypted display via a secure viewer
  -- Encrypted blocks on the page are automatically replaced by a dedicated viewer (extension iframe).
  -- Visual "dissolve" effect from base64 to plaintext.
  -- The decrypted text remains confined within the extension iframe, outside the page's DOM.
• 🌐 Domain whitelist
  -- Limit the extension to the sites you choose (webmail, chat, forum, etc.).
• 📝 Support for numerous fields
  -- <textarea>
  -- <input> (text, email, etc.)
  -- contentEditable elements (rich editors)
  -- Certain Shadow DOM content (modern webapps)
  -- Specific integration for Discord, WhatsApp Web, Gmail, etc.
• 🌍 Bilingual FR / EN interface
• 🧩 No data collection, no tracking
  -- No account, no registration, no server: everything is 100% local.

🧰 Typical use cases:

• Protect your email content on webmails
• Send confidential messages via a forum or web chat
• Encrypt sensitive notes before posting or storing them online
• Share a password or access code more securely

✅ For the recipient to read your encrypted messages, they simply need to:

1. Install the Crypt3TR extension
2. Enter the same password in the extension
3. Open the page containing the message: the viewer automatically displays the decrypted version (if the domain is authorized).

🛡️ Security, DOM & internal workings:

Protection against DOM reading

• Plaintext no longer passes through the page's DOM:
  -- it does not appear in <input>, <textarea>, or contentEditable in readable form,
  -- it is not visible via "Inspect Element" or through third-party scripts reading the DOM.
• Editing takes place in a dedicated editor (extension iframe), isolated from the page context.
• Reading takes place in a dedicated viewer (another extension iframe).
• A malicious script injected into the page (XSS, third-party script, another extension) only sees:
  -- [[crypt3tr]]BASE64[[/crypt3tr]] blocks in the DOM,
  -- or the reading iframe, but without access to internal content, thanks to extension isolation.

Message encryption

• Algorithm: AES-256-GCM
• Key derivation: PBKDF2-SHA256, 500,000 iterations, with 128-bit random salt
• IV: 96-bit random

The text is encrypted with a key derived from your password. Anyone with the same password and the extension can decrypt these blocks.

Secure password storage

• Your password is never stored in plaintext.
• It is encrypted with a non-extractable AES-GCM master key, generated and stored in the extension (IndexedDB).
• This master key is never exported and remains within the extension's secure context.
• The password is only used in memory to encrypt/decrypt your messages.

⚠️ Limitations & threat model:

Crypt3TR does not protect against:

• keyloggers, malware, or a compromised operating system,
• other malicious extensions capable of directly reading your keystrokes or breaking extension isolation (very high threat model),

Real security also depends on:
- password quality (long, unique, complex),
- machine reliability (uninfected PC, healthy browser).

✅ Recommended best practices:

• Use a long and unique password (20+ characters, letters + numbers + symbols).
• Share this password via a secure channel (Signal, physical meeting, etc.).
• Restrict the whitelist to sites where you actually need encryption.
• Avoid using Crypt3TR on public or untrusted machines.

🧑‍💻 Source code & contributions:

• 🔓 Source code: <https://github.com/TBDwarf/Crypt3TR>
• 📜 License: Apache-2.0

Crypt3TR aims to offer simple, convenient, and transparent encryption for your everyday web messages, while remaining respectful of your privacy, and protecting you as much as possible from scripts that read the DOM of pages.