[liberationtech] Peer-review required: SwaTwt and TweedleDH

[Steve Weis]

I gave some constructive criticism directly, but it mostly echoes what
you already wrote.

In light of Haystack, I think it's important that security questions
about live systems are raised early and loudly. There are
non-technical readers of this list and you don't know who might start
using that site. I encouraged Mr. Zzzzen to highlight that the site is
for test purposes only.

In fairness, I have collaborated on an experimental privacy-related
project called PseudoID where the live demo code uses client-side
Javascript crypto. The site has a warning that says it is for demo
purposes. The corresponding paper discusses all the security issues
why it's not ready for practice and the future work that would need to
happen.

One of the future areas of work was to build crypto support into a
browser plug-in or extension. There is work being done on client-side
crypto for HTML5, similar to client-side storage, that is promising.
Support would be built into compatible browsers and accessible via
calls in Javascript.

On Tue, Sep 28, 2010 at 8:07 PM, Daniel Colascione
<dan.colascione at gmail.com> wrote:
> First off, I don't think SwaTWT is particularly *useful*. Sending an
> encrypted message is a solved problem: use PGP or OTR. These systems are
> infinitely better than plain old (unauthenticated!) symmetric cryptography.
>
> That said, constructive criticism is better than sternly shooting down a
> well-meaning novice; at least he asked for someone to review his work.
> If you pin his ears back, you're just teaching him to not ask for input
> next time.