On Sat, Jan 18, 2014 at 01:52:07AM +0700, Uncle Zzzen wrote: > In that case, we shouldn't trust anything unless it's [hopefully] > hostile-player-proof P2P, then we're back to "confiscate the hard drive" > times.
There's one acceptable compromise left.. the one that the Tor architecture employs... dumb relays that do useful work and have no idea either they are doing or who they are doing it for. > Or would they pwn all desktops as well? (I assume all phones are pwned by > definition :) ). My impression from 30c3 etc is that personal computers still aren't as easily mass p0wnable as (virtual) servers and routers. Firewalls may actually work sometimes. Operating systems may actually not be broken sometimes. Hardware backdoors may exist but not be used in massive way as it would compromise their effectivity. I presume Mr Schneier is right saying that if the nation state actor is after *your* device, then the likelihood is high it will find its way in (especially if you use a collaborating operating system). This threat model only worries me if it could be applied against entire nations in a warfare situation, which it might. > > it is reasonable to argue that the web browser is such a complex > > monster it is impossible to secure. i presumed that to be obvious > > but maybe it should be mentioned for completeness. > > IMHO the answer is projects like https://www.syndie.de/ that deliberately > have a "lame html browser" as the gui, and all crypto is done outside the > DOM. Yes, RetroShare has HTML-compatible rich text everywhere, but no actual web browser. We were considering something similar for secushare, too. It's a pattern. Recover the spirit of the web and throw away the cancerogenous parts. > I know Syndie is not a realtime app (and chats/etc. would need some more > functionality), but maybe it's a good idea to build "app-specific secure > browsers" (that can't browse http[s]: urns directly) from the bottom up, > hopefully with a saner language than javascript to control them. > > Are there any "browsers" like this out there? Yes, ever since the mid 90s.. but you probably never heard of them or of the fact they support this feature. ;-) -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
