[liberationtech] Snakeoil and suspicious encryption services

Aymeric Vitte vitteaymeric at gmail.com
Mon Jul 21 12:59:21 PDT 2014 

Please read again what I have written, your answer just extracts really 
basic parts out of the context and does not take into account the whole 
picture that I have explained, I already read the link you provided some 
years ago, I recall it as trivial and/or too old statements 
unfortunately having still enough visibility on the web to disinform people.

The code loading is an unsolvable issue unless you do what I have writen.

Extensions, plug-in, add-on can not secure you more than a js code that 
you can not hide (the question is not only to make sure you have the 
right code, but to be able to check what it is doing).

And at the end, what I am talking about is a standalone js app inside 
browsers, this is highly doubtful that someone can question the security 
of this, I would like to see it (but then please read exactly what I wrote)

Regards


Le 21/07/2014 19:44, Tony Arcieri a écrit :
> On Mon, Jul 21, 2014 at 2:59 AM, Aymeric Vitte <vitteaymeric at gmail.com 
> <mailto:vitteaymeric at gmail.com>> wrote:
>
>     So Peersm is a monolithic js code app, monolithic so you don't
>     load tons of potentially insecure modules, it does not use neither
>     rely on any plugin/add-on, for always the same reason: you must be
>     able to check precisely what the app is doing.
>
>
> Browser extensions allow you to use web technologies, including 
> HTML/JS, while still providing a verifiable archive of its contents 
> that can be digitally signed.
>
> Compare to a web page, which is ephemeral and makes it difficult to 
> detect changes between versions.
>
>     But of course you must load the code at a certain point of time, I
>     am not going to reexplain why the main page of Peersm is not using
>     https, this will anyway not secure the code loading, this part can
>     be insecure
>
>
> Then an attacker with a privileged network position (e.g. your 
> barista) can rerwrite your JS code to exfiltrate whatever secrets you 
> were hoping to protect with it. Or perhaps they could just shut the 
> encryption off.
>
> Your opinions about web security are about as diametrically opposite 
> from reality as they can be. What are you expecting people to do, read 
> the source code of your web page every time they intend to use it?
>
> Please read this:
>
> http://matasano.com/articles/javascript-cryptography/
>
> -- 
> Tony Arcieri
>
>

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140721/73289cb1/attachment.html>

More information about the liberationtech mailing list