why does everyone want to trust yet another third party to encrypt data
on their behalf :)?
if u want to encrypt stuff, u should do it on ur machine. Maybe what
people should be searching for is an easy-to-use, audited and open
source stack to do it.
if we are too lazy to do it ourselves and want to outsource it to an
online service; this we dont really value ourprivacy after all. there is
no gain without a little pain.
On 18/06/2013 21:05, Steve Weis wrote:
It's not safe.
This is their bookmarklet:
(function(){document.body.appendChild(document.createElement('script')).src='https://encipher.it/javascripts/inject.js';})(
<https://encipher.it/javascripts/inject.js%27;%7D%29%28>);
That loads a JavaScript file from the encipher.it <http://encipher.it>
site, which can be changed at any time and compromise your messages
without your knowledge.
The actual call to encrypt data is here:
https://encipher.it/javascripts/encipher.js :
"""
hmac = hex_hmac_sha1(key, _this.text);
hmac += hmac.slice(0, 24);
cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
"""
They're MACing the key for some reason, then using unauthenticated CTR
mode without an HMAC. So this is completely vulnerable to someone
modifying the ciphertext.
That CTR mode is implemented by this:
https://encipher.it/javascripts/AES.js. That's using the time of day
as a nonce combined with a weak JS Math.random(). That's vulnerable to
some attacks as well.
Generally, I'd assume that a random crypto project you run across is
probably not safe.
On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai
<[email protected] <mailto:[email protected]>> wrote:
Have you guys seen this?
https://encipher.it/
I've searched through the archives but didn't see anything. I'm
wondering how safe this is.
It has received some small attention on the media before.
http://www.pcworld.com/article/255938/encipher_it_encrypts_email_for_free.html
Thoughts?
--
*Lorenzo Franceschi-Bicchierai
*Mashable <http://www.mashable.com> Junior US & World Reporter
[email protected] <mailto:[email protected]> |
[email protected] <mailto:[email protected]>
#: (+1) 917 257 1382
Twitter: @lorenzoFB <http://www.twitter.com/lorenzoFB>
Skype: lorenzofb8
OTR: [email protected] <mailto:[email protected]>
www.lorenzofb.com <http://www.lorenzofb.com>
--
Too many emails? Unsubscribe, change to digest, or change password
by emailing moderator at [email protected]
<mailto:[email protected]> or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at [email protected] or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at [email protected] or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
