On Tue, Jan 14, 2014 at 6:44 PM, Uncle Zzzen <[email protected]> wrote: > >> 3. "Passive" global adversary attack: >> > As long as the JS is what the owner claims it is (assuming it's code that > has been peer reviewed enough according to your standards), it doesn't > matter whether they confiscate the hard drive or just listen.
i hate the term "passive global adversary". the adversary active across the global theater is able and active. also, you're wrong three ways: 1) if entropy is compromised (see history of RNG tampering) this assumption is actionable-ly false. don't get me started on the OpenSSL/* RDRAND fiasco... 2) "JS is what the owner claims it is" is suspect in BULLRUN situation where private keys pilfered. (not to mention all the other subversive techniques applied) 3) the attack surface of the browser. nuff said! (or said again, "just listen" is only harmless if no prior active intervention has occurred) -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
