Hi, you have to trust the server in a host-based security setting. If you want to mitigate that, have you considered packaged (not hosted!) apps? Check out Chrome Apps, Firefox Apps, node-webkit, atom-shell, ... It all boils down to what you threat model is. Also, you probably don't want to roll your own authentication mechanism. You also might want to avoid doing funky stuff with removing the script sources and loading them from arbitrary locations... Recommended read for js security and threat models (be sure to check out the discussion, too!): http://tankredhase.com/2014/04/13/heartbleed-and-javascript-crypto/
Cheers Felix On Wed, May 21, 2014 at 7:57 PM, Apostolis Xekoukoulotakis < [email protected]> wrote: > Hello everyone. I am thinking of using openpgp as an authentication > mechanism form my site and more. Send a random number to the client, the > sessionId, which he then has to sign and send back. > > I was also worried that if someone could attack my server, he could send > arbitrary js code to the client and thus all clients would be compromised. > So I decided to create a nodejs app that users would have to install > locally that would provide them those js scripts. > > They would only have to contact the server for content. So now I am > worried about someone injecting js code into the content. > If I wrote a parser that removed script tags, I suppose this would be > secure, right? > > The apps goal is to let users issue new currencies, that is why is > security is very important. > > _______________________________________________ > > http://openpgpjs.org > Subscribe/unsubscribe: http://list.openpgpjs.org >
_______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
