[liberationtech] Standalone JS apps vs. browser extensions, which is better?
Steve Weis
steveweis at gmail.com
Mon Aug 26 12:34:31 PDT 2013
If delivered as a regular Javascript web app, then Francisco, anyone
at Site 44, or anyone at Dropbox can steal PassLok keys and messages
anytime they want.
I do not think it's realistic to expect every single user to "look at
the code before [they] execute it" for every single page load. As
already discussed, Francisco's method of hashing the Javascript code
doesn't work across different browsers and encodings. Even if it
worked, users would need a client-side tool to verify it, which means
it is no longer browser-based.
On Mon, Aug 26, 2013 at 11:44 AM, Francisco Ruiz <ruiz at iit.edu> wrote:
>
> So, I'm inclining toward keeping PassLok as a securely delivered, but strictly self-contained web app. At least this way you can look at the code before you execute it.
More information about the liberationtech
mailing list