[liberationtech] pgp message encryption and decrypion using just a browser
David Dahl
david at ddahl.com
Wed Feb 9 18:06:57 PST 2011
On Wed, Feb 9, 2011 at 7:24 PM, Moxie Marlinspike
<moxie at thoughtcrime.org> wrote:
>
> Hey David, just to make sure I haven't misunderstood, is that idea that
> by making cryptographic building blocks available through the DOM,
> people will be able to write webapps which do cryptographic operations
> on the browser side?
exactly
> This is something that's come up for me a number of times, but in the
> end it always feels like "trusting dynamic code that someone gives me"
> can be reduced to trusting that very same source with your plaintext data.
>
indeed that is true - this is at least one step further since the
crypto bits are built into the browser and are fast native code. The
trust issue will always be there. this is true now whenever we log
into bank websites, I am hoping we can nail this stuff down as much as
possible, but it will come down to services being created that are
also open source projects and people's use of them will depend on the
reputation of the host. This will be cracked regardless.
> How do you verify that, every single time you visit a webapp, you've
> been given code which is actually doing the correct thing? Solving that
> problem seems like a large outstanding research question.
That is a great research question. An extension could easily read the
script source files and confirm checksums after loading, but that will
also depend on the host distributing the checksum in the first place.
>
> jsctypes is a huge relief, by the way. Honestly, I think just having a
> JS library which manages the jsctypes bindings to NSS and the NSPR is
> really valuable to addon developers alone.
Indeed - this module was an XPCOM service until a colleague of mine
ported it to a JavaScript Module via jsctypes. It is very cool
technology.
Cheers,
David
More information about the liberationtech
mailing list