On 18 April 2015 at 00:51, Tony Arcieri <basc...@gmail.com> wrote: > On Fri, Apr 17, 2015 at 11:56 AM, Ron Garret <r...@flownet.com> wrote: >> >> The fact that to use PGP you have to install an application. (This is >> true for Peerio as well.) That turns out to be too much friction for most >> people. Whenever you have to install an application you have to decide >> whether or not you trust the application, and most people have no basis for >> making that assessment. > > > Why should anyone trust your web page? Do you expect people to audit the > source code every time they use it? If they don't, perhaps you made a change > which exfiltrates the plaintext to your personal server. Perhaps you > targeted a single person, and everyone else sees the "real version" > > This is why web pages aren't trustworthy for cryptographic purposes. > > I wrote a blog post on this topic: > > http://tonyarcieri.com/whats-wrong-with-webcrypto
This is why we need Binary Transparency (for web pages, in this case). The same problem exists for all executables, of course. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography