On Wednesday 16 July 2014 16:25:26 Emre Erenoglu wrote: > On Wed, Jul 16, 2014 at 4:11 PM, <[email protected]> wrote: > > Hi, > > > > I don't want to ruin your day, but why would you want client side > > encryption in javascript? How could the user be sure that the script is > > working as advertised? I doesn't see a way to guarantee that without > > trusting the server where the javascript file is coming from. But in > > that case you can also just upload the unencrypted file over a secure > > (ssl) connection. > > I guess the use case is obvious. As a client, you can't actually trust it > if the encryption is done on server side. If your server is in a VPS in a > server farm, then it also means you can't trust the hosting provider > neither. Whoever has access to the server can theoretically decrypt your > files. > If you do it on the client side, then it becomes really trusted, but it can > also become complicated when it comes to things like sharing, differential > updates, etc.
A good read: http://matasano.com/articles/javascript-cryptography/ In summary, if you can't trust the server that it does the encryption, then you also can't trust that it does not serve you bad javascript that sends to the server the encryption keys. -- Olivier _______________________________________________ User mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/user
