[liberationtech] Snakeoil and suspicious encryption services

Aymeric Vitte vitteaymeric at gmail.com
Mon Jul 21 17:52:22 PDT 2014 

You obviously don't know what you are talking about or just did not get 
what I explained or just do not understand http versus https or the 
contrary, or just do not understand the web, what's on client side 
(browser) or on server side, or don't get that your extension can be 
mitmed too including its signature.

So unfortunately I have to stop this discussion right here with you, not 
to waste the time of serious people on this list, if you want to restart 
with another tone, then please go, but first checkout what is writen on 
Peersm site, everything is explained, including your focus on elementary 
mitm issue, your arguments and judgement are so basic that I am 
wondering why I am answering it, you should do some reading, and if you 
can trivially defeat Peersm, then just show us how


Le 21/07/2014 22:53, Tony Arcieri a écrit :
> On Mon, Jul 21, 2014 at 12:59 PM, Aymeric Vitte 
> <vitteaymeric at gmail.com <mailto:vitteaymeric at gmail.com>> wrote:
>
>     Please read again what I have written, your answer just extracts
>     really basic parts out of the context and does not take into
>     account the whole picture that I have explained, I already read
>     the link you provided some years ago, I recall it as trivial
>     and/or too old statements unfortunately having still enough
>     visibility on the web to disinform people.
>
>
> I read what you wrote. You're wrong. You are very, very wrong.
>
>     The code loading is an unsolvable issue unless you do what I have
>     writen.
>
>
> Loading JavaScript of any kind over plaintext HTTP is a bad idea. 
> Loading JavaScript implementing cryptography is a sign you have no 
> fucking clue what you're doing. It's the equivalent of a giant "DANGER 
> WILL ROBINSON: THIS CODE IS UNSAFE" sign.
>
>     Extensions, plug-in, add-on can not secure you more than a js code
>     that you can not hide
>
>
> Browser extensions are cryptographically signed. Plaintext HTTP is 
> trivially rewritten by an attacker. Systems like Peersm are 
> horrendously vulnerable to an active attacker.
>
>     And at the end, what I am talking about is a standalone js app
>     inside browsers, this is highly doubtful that someone can question
>     the security of this, I would like to see it (but then please read
>     exactly what I wrote)
>
>
> If someone has a "privileged network position" (i.e. your barista), 
> they can catastrophically compromise the alleged "security" of such a 
> system via an incredibly trivial MitM attack.
>
> This same attack cannot be performed against cryptographically signed 
> browser extensions. Even adding HTTPS to your HTML/JS site would be a 
> step up.
>
> This app is poorly implemented and dangerous and it would be best for 
> you to either find some way to serve it over HTTPS or delete it from 
> the Internet.
>
>

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140722/713b6ffb/attachment.html>

More information about the liberationtech mailing list