[liberationtech] Snakeoil and suspicious encryption services
Tony Arcieri
bascule at gmail.com
Mon Jul 21 10:44:52 PDT 2014
On Mon, Jul 21, 2014 at 2:59 AM, Aymeric Vitte <vitteaymeric at gmail.com>
wrote:
>
> So Peersm is a monolithic js code app, monolithic so you don't load tons
> of potentially insecure modules, it does not use neither rely on any
> plugin/add-on, for always the same reason: you must be able to check
> precisely what the app is doing.
>
Browser extensions allow you to use web technologies, including HTML/JS,
while still providing a verifiable archive of its contents that can be
digitally signed.
Compare to a web page, which is ephemeral and makes it difficult to detect
changes between versions.
But of course you must load the code at a certain point of time, I am not
> going to reexplain why the main page of Peersm is not using https, this
> will anyway not secure the code loading, this part can be insecure
Then an attacker with a privileged network position (e.g. your barista) can
rerwrite your JS code to exfiltrate whatever secrets you were hoping to
protect with it. Or perhaps they could just shut the encryption off.
Your opinions about web security are about as diametrically opposite from
reality as they can be. What are you expecting people to do, read the
source code of your web page every time they intend to use it?
Please read this:
http://matasano.com/articles/javascript-cryptography/
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140721/aa6120d6/attachment-0001.html>
More information about the liberationtech
mailing list