[liberationtech] Crypho
Steve Weis
steveweis at gmail.com
Sat Mar 23 17:11:37 PDT 2013
Hi Yiorgis. The Crypho web page says:
"No-one can access your data, either in transit or when stored — Not even
Crypho staff or the government."
Yet, you acknowledge that "we are aware of the potential problems of
serving JS [Javascript]", meaning it's trivial for your staff or a
government to compromise the Javascript code and cause it to leak plaintext
data.
Even the authors of the Stanford Javascript Crypto Library (SJCL), which
Crypho "uses solely", say that it's not feasible to secure:
"Unfortunately, [SJCL] is not as great as in desktop applications because
it is not feasible to completely protect against code injection, malicious
servers and side-channel attacks." (http://crypto.stanford.edu/sjcl/)
On Sat, Mar 23, 2013 at 3:57 AM, Yiorgis Gozadinos <ggozad at crypho.com>wrote:
> We are aware of the potential problems of serving js. We will eventually
> ship an installable app, but at the moment, with daily updates, ease of
> deployment wins.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130323/5de8618b/attachment.html>
More information about the liberationtech
mailing list