I work for a company that has tried very hard to do cryptography in JS right. For an earlier version, we did an enormous amount of crypto in a JS extension, though in our latest version, we have managed to make our browser extension much thinner.
But we still have one optional feature, 1PasswordAnywhere, that delivers crypto in the web page over TLS. And this feature is the “exception” to almost everything we say about the security of our system. With goto-fail and Heartbleed, we were able to say to customers “1Password’s security doesn’t depend on the security of SSL/TLS (except for 1PasswordAnywhere)." With respect to active attacks, we were able to say “1Password’s use of authenticated encryption protects from most active attacks (except for 1PasswordAnywhere)”. With respect to phishing/spoofing we were able to say “You are never prompted for your 1Password Master Password within a web page (except for 1PasswordAnywhere)” You should see a pattern there. And that pattern emerges precisely because in that legacy feature we are delivering crypto in a web page over SSL. It is there that we still face threats that we have largely eliminated elsewhere. [Note. We do try to inform users and discourage use of the particular feature; but many people still depend on it and are willing to accept its more limited security.] Cheers, -j _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
