[liberationtech] How do I prevent a Javascript program from being tampered with?

[Francisco Ruiz]

Hi folks, here's me again seeking ideas to make PassLok the best it can be.

PassLok (link at the bottom) is a free web app that does public-key
cryptography using elliptic curves. Since it consists only of a single html
file with Javascript code (all processing is client-side), there is a
chance that an attacker might intercept the code or hack it at the source,
and the user would be no wiser.

To prevent this, I publish the SHA256 of the code (which PassLok itself can
compute, though it is better to use an external utility), and then I read
the resulting string in a Youtube video, with some background music. Both
are linked from the PassLok help file. Here's the video I just made:

https://www.youtube.com/watch?v=ZXWcIvLs4t0

I think that an attacker would have a very hard time making a fake video
for the SHA256 of a counterfeit program, and  therefore get away with
tampering with the code.

What do you think? Can you give me a better idea?

Thanks!

-- 
Francisco Ruiz
Associate Professor
MMAE department
Illinois Institute of Technology

PL12lok=KpYv+bqJ7pq0eqC664UlIcwfl1P8f8p12NUqFdg2bQ2gTQTBuOo09BQs3GGiYOQUuQmtnoceAxJoSzjvYEYOM0q=PL12lok

get the PassLok privacy app at: http://passlok.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130804/eab16675/attachment.html>