[liberationtech] In defense of client-side encryption
Ximin Luo
infinity0 at gmx.com
Sun Aug 11 13:02:24 PDT 2013
On 11/08/13 20:36, danimoth wrote:
> On 11/08/13 at 01:10pm, Francisco Ruiz wrote:
>> Twice again, privacy has taken a hit across the land. Lavabit and Silent
>> Mail are gone, and to quote Phil Zimmermann, “the writing is on the wall”
>> for any other encrypted email provider located in US territory. This is
>> sure to be repeated for servers located in Europe and other countries. Is
>> this the end of encrypted email?
>
> [cut]
>
> IMHO you are making big statements, taking a lot of risks, and a lot of
> people's life on your back, as we're not playing here. Are you sure to
> have big enough shoulder?
>
> First, it is in Javascript. Who needs cryptography, SHOULD NOT use
> javascript. Google can help you ([1] for example, [2] if
> you are coming from a 48h non-stop no-sleep marathon).
>
> Second, someone posted about your random number generator, and you
> ignored it. But this is a minor problem, as all things are in
> Javascript.
>
> Third, you use Javascript. But, wait, I need to sleep. Please stop
> spamming an insecure-by-design product.
>
I think you forgot to mention the design flaw that it implements crypto in javascript.
> Last thing: People, please, use PGP instead of these circus things.
>
Hear, hear. I never bought this whole "users will never install software" "argument". Have you seen the sort of crap the typical non-technical user has installed?
>
> [1] http://www.matasano.com/articles/javascript-cryptography/
> [2] https://www.google.it/search?q=why%20is%20bad%20crypto%20javascript
>
>
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
More information about the liberationtech
mailing list