On Mon, Jul 21, 2014 at 12:59 PM, Aymeric Vitte <vitteayme...@gmail.com> wrote:
> Please read again what I have written, your answer just extracts really > basic parts out of the context and does not take into account the whole > picture that I have explained, I already read the link you provided some > years ago, I recall it as trivial and/or too old statements unfortunately > having still enough visibility on the web to disinform people. > I read what you wrote. You're wrong. You are very, very wrong. The code loading is an unsolvable issue unless you do what I have writen. > Loading JavaScript of any kind over plaintext HTTP is a bad idea. Loading JavaScript implementing cryptography is a sign you have no fucking clue what you're doing. It's the equivalent of a giant "DANGER WILL ROBINSON: THIS CODE IS UNSAFE" sign. Extensions, plug-in, add-on can not secure you more than a js code that you > can not hide > Browser extensions are cryptographically signed. Plaintext HTTP is trivially rewritten by an attacker. Systems like Peersm are horrendously vulnerable to an active attacker. > And at the end, what I am talking about is a standalone js app inside > browsers, this is highly doubtful that someone can question the security of > this, I would like to see it (but then please read exactly what I wrote) > If someone has a "privileged network position" (i.e. your barista), they can catastrophically compromise the alleged "security" of such a system via an incredibly trivial MitM attack. This same attack cannot be performed against cryptographically signed browser extensions. Even adding HTTPS to your HTML/JS site would be a step up. This app is poorly implemented and dangerous and it would be best for you to either find some way to serve it over HTTPS or delete it from the Internet.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
