[liberationtech] Crypho

zooko zooko at zooko.com
Fri Jun 7 21:57:28 PDT 2013 

On Tue, Mar 26, 2013 at 09:24:13AM +0100, Yiorgis Gozadinos wrote:
> 
> Assuming there is a point of reference for js code, some published instance of the code, that can be audited and verified by others that it does not leak. The point then becomes: "Is the js I am running in my browser the same as the js that everybody else is?". 
> Like you said, it comes down to the trust one can put in the verifier.
> A first step could be say for instance a browser extension, that compares a hash of the js with a trusted authority. The simplest version of that would be a comparison of a hash with a hash of the code on a repo.
> Another (better) idea, would be if browser vendors would take up the task (say Mozilla for instance) and act as the trusted authority and built-in verifier. Developers would sign their code and the browser would verify.
> Finally, I want to think there must be a way for users to broadcast some property of the js they received. Say for example the color of a hash. Then when I see blue when everyone else is seeing pink, I know there is something fishy. There might be a way to even do that in a decentralised way, without having to trust a central authority.

Dear Yiorgis:

I think this is a promising avenue for investigation. I think the problem is
that people like you, authors of user-facing apps, know what the problem is
that you want to solve, but you can't solve it without help from someone else,
namely the authors of web browsers.

With help from the web browser, this problem would be at least partly solvable.
There is no reason why this problem is more impossible to solve for apps
written in Javascript and executed by a web browser than for apps written in a
language like C# and executed by an operating system like Windows.

Perhaps the next step is to explain concisely to the makers of web browsers
what we want.

Ben Laurie has published a related idea:

http://www.links.org/?p=1262

Regards,

Zooko

https://tahoe-lafs.org - Free, Open Source Secure Decentralized Storage
https://LeastAuthority.com - Commercial Ciphertext Storage Service

More information about the liberationtech mailing list