[liberationtech] Snakeoil and suspicious encryption services

Tony Arcieri bascule at gmail.com
Mon Jul 21 18:16:52 PDT 2014 

On Mon, Jul 21, 2014 at 5:52 PM, Aymeric Vitte <vitteaymeric at gmail.com>
wrote:

>  You obviously don't know what you are talking about or just did not get
> what I explained or just do not understand http versus https or the
> contrary, or just do not understand the web, what's on client side
> (browser) or on server side, or don't get that your extension can be mitmed
> too including its signature.
>

Hey, it's just my job. I also write a whole blog post on the matter:

http://tonyarcieri.com/whats-wrong-with-webcrypto

I develop webapps that are served over HTTPS, HSTS, and use Content
Security Policy (CSP). You write webapps that are served over plaintext
HTTP and don't use content security policy, and if they did, it wouldn't
matter, because an active attacker can write the CSP header unless you're
using HTTPS.

tl;dr: I am using state-of-the-art web security. You are selling snake oil.
You are vociferously defending your snake oil.

but first checkout what is writen on Peersm site, everything is explained
>

Your site is broken. It's unsafe. You don't know what you're doing. You're
clueless, and worse, you have some kind of Dunning-Kruger complex that
makes you think the opposite of what you should be doing from a security
perspective is a good idea.

There's no beating around the bush here. You are wrong, wrong, wrong.
Peersm is horribly insecure, and nobody should be using it.

Please read about the problem. I already linked you the Matasano article:

http://matasano.com/articles/javascript-cryptography/

But please also consider reading the book the Tangled Web:

http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886

Here is a checklist of things you don't have which, at a minimum, you need
to implement for your site to be remotely secure (and even then, users of
your site are still vulnerable to you changing the code and exfiltrating
their secrets):

- HTTPS: https://en.wikipedia.org/wiki/HTTP_Secure
- HSTS: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- CSP:
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140721/0ac9e46f/attachment.html>

More information about the liberationtech mailing list