-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 15/01/14 10:34, coderman wrote: > 2) "JS is what the owner claims it is" is suspect in BULLRUN > situation where private keys pilfered. (not to mention all the > other subversive techniques applied) > > 3) the attack surface of the browser. nuff said! (or said > again, "just listen" is only harmless if no prior active > intervention has occurred)
Hello people: What's wrong with webcrypto is that if you want to create a secure chat app, or an encrypted voting system (as I do), or secure etherpad, or anything that needs javascript cryptography, you have to trust the Javascript provided by the web server. This is what I call the server-in-the-middle attack. My proposal would be to do something like SSL for end-to-end crypto. To have secure isolated reusable web-components so that you don't need to trust the web site, but the web browser. I proposed this some time ago: http://edulix.wordpress.com/2012/01/08/the-server-in-the-middle-problem-and-solution/ Regards, Eduardo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLWgG0ACgkQqrnAQZhRnaqVwAD7BOREx8qb8obx8i6+5aMka2V2 97EIfmB6JGDjgZs0m5AA/1OOdmkyGKBLUjDA/z7ZlBqauIxhnzpUbQ14jOi4C7Iq =0ukA -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
