[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net
Eduardo Robles Elvira
edulix at gmail.com
Wed Jan 15 04:34:53 PST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 15/01/14 10:34, coderman wrote:
> 2) "JS is what the owner claims it is" is suspect in BULLRUN
> situation where private keys pilfered. (not to mention all the
> other subversive techniques applied)
>
> 3) the attack surface of the browser. nuff said! (or said
> again, "just listen" is only harmless if no prior active
> intervention has occurred)
Hello people:
What's wrong with webcrypto is that if you want to create a secure
chat app, or an encrypted voting system (as I do), or secure etherpad,
or anything that needs javascript cryptography, you have to trust the
Javascript provided by the web server.
This is what I call the server-in-the-middle attack. My proposal would
be to do something like SSL for end-to-end crypto. To have secure
isolated reusable web-components so that you don't need to trust the
web site, but the web browser. I proposed this some time ago:
http://edulix.wordpress.com/2012/01/08/the-server-in-the-middle-problem-and-solution/
Regards,
Eduardo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlLWgG0ACgkQqrnAQZhRnaqVwAD7BOREx8qb8obx8i6+5aMka2V2
97EIfmB6JGDjgZs0m5AA/1OOdmkyGKBLUjDA/z7ZlBqauIxhnzpUbQ14jOi4C7Iq
=0ukA
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list