I once worked with an undergrad student at hopkins that that something like
this.
However his focus was on encrytping and decrypting the content you would store
to google's servers ("the cloud" in today's terms) so that even if google had
your data, they wouldn't know what they had. Though his method was just shared
secret. And it worked. But turned out to be impractical because you can't
share, and if protecting email, others, even if they coudl decrypt it could
just forward it.
________________________________
From: Nagaev Boris <[email protected]>
To: witty-interest <[email protected]>
Sent: Wednesday, June 27, 2012 2:09 AM
Subject: [Wt-interest] JavaScript level encryption
Hello!
Long time ago I had a crazy idea of using public key cryptography
through JS. I know about SSL, but unfortunately it has one big
problem: you are to buy a certificate (actually, sign a certificate by
certificate authority). Certificate authority free encryption systems
are known to be vulnerable to active attacks, but they can prevent at
least passive attacks. But in Web you can't take advantage of public
key cryptography without paying money to certificate authority (ok,
you can use self-signed cert, but most of browsers will show ugly
warnings to users).
The workaround seems to be JavaScript-based encryption. At the
beginning of Ajax session, Diffie-Hellman key exchange is done and
then this key, that is known only by a client and a server, is used to
encrypt all the information, passing through the ajax. This encryption
system would be resistant to passive attacks (passwords, entered by
user, can't be captured). This system is not be resistant to active
attacks. But most of attacks are passive (for example, free WiFi
access points). The advantage over SSL is free of charge.
I think, this encryption would be a great part of Wt. Almost no
changes of Wt applications would be needed, since all the JS is
generated by Wt itself or Wt's functions, so can be easily wrapped. It
would be a method of WApplication, enabling this encryption.
Is it possible to implement this?
Regards,
Boris Nagaev
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
