[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net

[Uncle Zzzen]

On 15 January 2014 18:21, carlo von lynX <lynX at time.to.get.psyced.org>wrote:

>
> also you're living in the past if you think a server hard drive
> needs to be confiscated to be examined. in the case of a VPS it's
> enough to have a root shell on the physical host. in the case of
> either a VPS or a dedicated server it's enough to p0wn the SMM.
>
In that case, we shouldn't trust anything unless it's [hopefully]
hostile-player-proof P2P, then we're back to "confiscate the hard drive"
times.
Or would they pwn all desktops as well? (I assume all phones are pwned by
definition :) ).

it is reasonable to argue that the web browser is such a complex
> monster it is impossible to secure. i presumed that to be obvious
> but maybe it should be mentioned for completeness.
>

IMHO the answer is projects like https://www.syndie.de/ that deliberately
have a "lame html browser" as the gui, and all crypto is done outside the
DOM.

I know Syndie is not a realtime app (and chats/etc. would need some more
functionality), but maybe it's a good idea to build "app-specific secure
browsers" (that can't browse http[s]: urns directly) from the bottom up,
hopefully with a saner language than javascript to control them.

Are there any "browsers" like this out there?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140118/1fd96eaf/attachment.html>