Hi Steve. I want to thank you for taking your time to help me. Your
comments are awesome. May I follow up with some short questions, right
after some of your comments?
Many thanks in advance.
On Mon, Aug 12, 2013 at 7:18 PM, Steve Weis stevew...@gmail.com wrote:
Francisco, you assume that all
Thank you for your quick response.
I'm not convinced by your arguements yet. I comment in between.
On 08/12/13 04:13, Francisco Ruiz wrote:
In your message, you wrote:
1. I have to *run* it to get the hash of the application from the help
page. That is already a leap of faith to run
On 11/08/13 at 09:37pm, Francisco Ruiz wrote:
I still have to read through the references you supply, but I can already
see a misconception. They refer to the dangers of carrying out cryptography
with javascript-containing dynamic pages. My previous posting referred to
_perfectly static_ pages
On 11/08/13 22:28, Nadim Kobeissi wrote:
On 2013-08-11, at 10:36 PM, danimoth danim...@cryptolab.net wrote:
On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/11/2013 08:10 PM, Francisco Ruiz wrote:
There’s no legal action that can shut down PassLok because it
consist of pure code, and pure code is speech, protected from
government interference under the 1^st amendment to the US
Constitution.
For
On Mon, Aug 12, 2013 at 01:46:26PM +0200, Arjen Kamphuis wrote:
Client-side encryption means a Free Software code stack running on a
machine that is physically under your control at all time. Anything
else is BS.
Indeed. And it can be argued that we even need open, fully inspectable
hardware,
On 12/08/13 14:02, Ben Laurie wrote:
On 12 August 2013 06:14, Ximin Luo infini...@gmx.com wrote:
How is it possible to defend against timing attacks in JS? Any language
theoretically can be complied into anything, but the JS runtime does not
give you much control in what the CPU actually
Thanks for a thoughtful and extensive reply. Let me see if I'm
understanding your position correctly. Running crypto code in a browser is
inherently insecure because we don't really know what the browser is doing
with it, regardless of whether it is communicating with a server. Of
course, we can't
Hey Arjen, you make a huge point. Unfortunately the Netherlands aren't any
better this way, are they? Looking around, it seems the only safe place
for a crypto server these days would be Switzerland. I'm ready to move my
stuff over there.
Does anybody know of a good, cheap, SSL-enabled web host
On 12/08/13 at 02:58pm, Francisco Ruiz wrote:
Thanks for a thoughtful and extensive reply. Let me see if I'm
understanding your position correctly.
[snip, snip, snip]
So, trusting the OS but not trusting the browser seems to me a curious case
of double standard. They are made by the same
I'm sorry but aren't we spending a lot of time conflating code
quality, secure coding practices, software distribution, .. with
~JavaScript in a browser~?
There are alternate pathways, signed and delivered as a Dashboard
widget via the Apple App Store for example.
I'm not proposing ~that~ as
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Francisco,
On 08/12/2013 10:04 PM, Francisco Ruiz wrote:
Hey Arjen, you make a huge point. Unfortunately the Netherlands
aren't any better this way, are they?
They are not, being a fully signed up member of the Coalition of the
Killing. And
So re Germany bring the bastion of Internet freedom blah blah, are we all
forgetting about the Staatstrojaner?
Or have we forgiven them for that now?
On Tuesday, August 13, 2013, Arjen Kamphuis wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Francisco,
On 08/12/2013 10:04 PM,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 12:48 AM, Tom O wrote:
So re Germany bring the bastion of Internet freedom blah blah, are
we all forgetting about the Staatstrojaner?
No we are not. But the difference between Germany and many other
countries is the outrage and
Francisco, you assume that all browsers will save a static version of the
page identically. This is not the case.
I ran a test using 'wget https://passlok.site44.com' and Chrome's Save
As. The former will actually match the hash value you've posted, but the
latter does not.
I spotted at least 5
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/13/2013 01:58 AM, Tom O wrote:
That's not a good enough reason to trust Germany.
And I don't. I trust the German people to stand up when it counts.
Because they know the consequence of failing to do so.
Ensuring privacy is not a requirement
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
for any other encrypted email provider located in US territory. This is
sure to be repeated for servers located in Europe and other countries. Is
this
Side note: please don't use LibTech as a marketing tool. Occasional
mentions are good, but I feel like you're flagging it a little too
much and too often. Just a friendly note. :)
On Sun, Aug 11, 2013 at 1:10 PM, Francisco Ruiz r...@iit.edu wrote:
Twice again, privacy has taken a hit across the
On 08/11/13 20:10, Francisco Ruiz wrote:
Download it from
its source at https://passlok.site44.com (once you have it once, you
have it forever), look at it, run it, test it. Get its SHA256 hash from
its help page and check it. If you’re as paranoid as I am, you can watch
me reading that hash
On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
for any other encrypted email provider located in US territory. This is
sure to be repeated for
On 11/08/13 20:36, danimoth wrote:
On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
for any other encrypted email provider located in US territory.
Hello everyone:
I believe we need is an standard way to do client side encryption in
the web. We need secure end-to-end communications in the web, so that
we don't need to be trust and dependent on the html/css/javascript
given by any server. We have a server in the middle security
problem. This
On 2013-08-11, at 10:36 PM, danimoth danim...@cryptolab.net wrote:
On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
Twice again, privacy has taken a hit across the land. Lavabit and Silent
Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
for any other encrypted email
In your message, you wrote:
1. I have to *run* it to get the hash of the application from the help
page. That is already a leap of faith to run unverified code.
Good point. A counterfeit copy of the page might lead to a different
server, and the help page thus obtained would display a different
Thanks for the warning. I'll be more careful in the future ;-)
BTW, I'm having trouble replying to postings in a way that will show in the
log. I don't know what I'm doing wrong. Is there a help page detailing best
practices for the mail list?
--
Francisco Ruiz
Associate Professor
MMAE
Thanks for the warning. I'll be more careful in the future ;-)
BTW, I'm having trouble replying to postings in a way that will show in the
log. I don't know what I'm doing wrong. Is there a help page detailing best
practices for the mail list?
--
Francisco Ruiz
Associate Professor
MMAE
@danimoth, sorry if this is duplicate. I'm re-sending this a different way
so it can be seen by all.
Thanks for the quick feedback. In there, you say,
First, it is in Javascript. Who needs cryptography, SHOULD NOT use
javascript. Google can help you ([1] for example, [2] if
you are coming from a
@Edulix (hombre, un paisano ;-)
I believe we need is an standard way to do client side encryption in
the web. We need secure end-to-end communications in the web, so that
we don't need to be trust and dependent on the html/css/javascript
given by any server. We have a server in the middle
28 matches
Mail list logo