On 10/26/13 11:02, Fabio Pietrosanti (naif) wrote: > Greetings, ...
> The idea to fix this problem by creating a technology that enable > opportunistic encryption of all data exchanged (via AJAX) by modern > javascript applications by leveraging unathenticated TLS with DHE > ciphers (providing Perfect Forward Secrecy). > > This could be realized by providing a "thin" layer of integration into > any existing Javascript application to wrap the XHR/Ajax requests, > proxying them trough a Javascript TLS Client, with some server-side code > acting as a gateway/minimal TLS implementation working within an HTTP in > HTTP tunnelling model. > > If a techology like that would exists, it would be possible to integrate > it as part of Wordpress or Django or other commonly used web > framework/technology. > > This would provide by default unauthenticated TLS encryption for most of > it's web traffic, with perfect forward secrecy, without HTTPS. > > I tried to summarize the idea on the Forge (Javascript TLS stack) github > issue at https://github.com/digitalbazaar/forge/issues/84 . > > I know that this kind of argument attract crypto-trolling ("Javascript > encryption" and "Unauthenticated encryption" and "Opportunistic > encryption") but i think that it's worth discussing because it could be > a revolutionary approach to challenge massive wiretapping. > > What does various people think about this approach? > One question: How does the javascript get to the browser without any interference from intermediate parties? Guido.
signature.asc
Description: OpenPGP digital signature
