On Tuesday, May 1, 2012 11:50:58 AM UTC-4, Jeff Barczewski wrote: However you are correct in that it doesn't have as many safe guards as SSL > in that you don't have any independent verification that the server you are > talking to really is the legitimate server. All you know is that your > communications with this unverified server are reasonably secure. Kind of > similar to the same security we have when people generate their own > unregistered SSL certs and tell people to just accept the security warning > the browser pops up (encryption but not verification).
You also lose because you cannot control for the fact that it is actually assl that it is running. Code can be injected (dns spoofing, browser extensions, whatever), resulting in text not being encrypted. Others have already explained why browser-javascript encryption is doomed to fail, so I leave you this link: http://www.matasano.com/articles/javascript-cryptography/ -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
