[liberationtech] Is cryptico.js any good?
Uncle Zzzen
unclezzzen at gmail.com
Wed Oct 12 17:26:25 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks, Steve.
I took the liberty of publishing your reply, since I'm not the only
one who was asking this:
http://blog.thedod.iriscouch.com/6b99948869ce0ec3a2e6a51da3c281a9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk6WL+gACgkQp1i9N8LBrvsHsQCgwOsykon6lp3GqEUwzWZzZ+/U
Gp0AoK41x6KQXXl0/V/pbabYUVMvz/yY
=YmtW
-----END PGP SIGNATURE-----
On Thu, Oct 13, 2011 at 5:37 AM, Steve Weis <steveweis at gmail.com> wrote:
> There are good reasons not to use Javascript crypto in general:
> http://www.matasano.com/articles/javascript-cryptography/
> http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/
> Regardless, I wouldn't trust Cryptico because its underlying implementations
> are all written from scratch and I have no idea if any of them are safe.
> Quickly scanning through their code, I see some questionable practices.
> For example, they are seeding randomness from the time of day:
> https://code.google.com/p/cryptico/source/browse/trunk/random.js#376
> And the "signature" is just a hash and is on the plaintext, rather than
> ciphertext:
> https://code.google.com/p/cryptico/source/browse/trunk/cryptico.js#3487
> On Wed, Oct 12, 2011 at 2:56 PM, Uncle Zzzen <unclezzzen at gmail.com> wrote:
>>
>> http://cryptico.wwwtyro.net/ is a javascript RSA library
>> At the bottom of https://code.google.com/p/cryptico/ there's a tech
>> summary of the algorithms and libraries it uses.
>>
>> Anyone here knows it? How good is it? Is there any reason NOT to use it?
>> Any other considerations? (e.g. if it's not over SSL - client-side
>> code can be MITMed).
>>
>> Thanks,
>> The Dod
>
--
http://zzzen.com/zzzen.asc
4759 A11D 6E05 D778 4A51 A002 A758 BD37 C2C1 AEFB
More information about the liberationtech
mailing list