..on Fri, Jul 26, 2013 at 03:59:34PM -0500, dd...@nulltxt.se wrote: > You should use ContentSecurityPolicy to help avoid XSS attacks: > http://content-security-policy.com/ > https://people.mozilla.com/~bsterne/content-security-policy/
The page appears to be entirely static to me, which I thought was one of the advantages of this implementation. More so, it can be used offline, in a locally hosted session. Cheers, Julian > On Fri, 26 Jul 2013 15:42:02 -0500, Francisco Ruiz <r...@iit.edu> wrote: > > > Scenario: you, Alice, realize you're under NSA surveillance. You need to > > get a crucial bit of information to your friend Bob, right away. > > You've been using PGP, but now you suspect the NSA may have installed a bug > > on your machine. Your keystrokes are being recorded. > > > > What can you do? Use PassLok instead. > > > > I wrote PassLok with three guiding principles in mind: > > 1. Absolutely nothing should be installed or even written in the computer. > > Alice should be able to go to the local library or borrow someone else's > > smartphone, and leave no traces behind. > > 2. Best security available. No compromises. > > 3. Graphical interface. Only one screen, as clean as possible. > > > > Therefore, PassLok is written entirely in javascript. Once you load the > > page at https://passlok.site44.com (http://passlok.com redirects you > > there), you can save the file and you have PassLok even offline. You can > > view the source and convince yourself that it is not connecting with any > > server. If you know some cryptography, you can see that it is using the > > well-known SJCL routines for AES encryption/decryption and elliptic curve > > functions. Since the elliptic curves implemented in the current version of > > SJCL only go up to the 384-bit NIST curve, I added the 521-bit NIST curve > > (equivalent to a 15000-bit RSA key in predicted security) so that PassLok > > uses that as a default. Even at 521 bits, the public keys are small, as you > > can see from my lock (public key) below. > > > > PassLok performs public-key cryptography using the Diffie-Hellman key > > exchange rather than RSA, so you can use whatever secret key you want. > > Hopefully something that is both very hard to guess and easy to remember, > > so you never have to write it down. PassLok will help you to come up with a > > strong key, but won't force you in any way. > > > > PassLok can sign and verify signatures, too (many PGP implementations, such > > as Mailvelope, cannot), and can also include a second secret message under > > a separate key, to beat the "rubberhose attack." If you are not sure about > > the authenticity of something, PassLock can make a short ID that you can > > read over the phone. All of it from a single screen. > > > > I want people to use PassLok and uncover any bugs it might still have, > > before I move on to a Gmail plugin based on its engine. I believe it is > > already very secure and easy to use by those who know a little > > cryptography. Hopefully the metaphor used throughout PassLok, about locks > > and keys rather than private/public key pairs, will also make it usable by > > novices. > > > > I'll appreciate any feedback you can give me. The link is repeated at the > > bottom. > > > > Thanks! > > > > -- > > Francisco Ruiz > > Associate Professor > > MMAE department > > Illinois Institute of Technology > > > > my PassLok lock: > > > > PL12lok=KpYv+bqJ7pq0eqC664UlIcwfl1P8f8p12NUqFdg2bQ2gTQTBuOo09BQs3GGiYOQUuQmtnoceAxJoSzjvYEYOM0q=PL12lok > > > > get the PassLok privacy app at: http://passlok.com > > -- > > Too many emails? Unsubscribe, change to digest, or change password by > > emailing moderator at compa...@stanford.edu or changing your settings at > > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Julian Oliver PGP B6E9FD9A http://julianoliver.com http://criticalengineering.org -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
