On 10/26/13 11:02, Fabio Pietrosanti (naif) wrote:
Greetings,
...
The idea to fix this problem by creating a technology that enable opportunistic encryption of all data exchanged (via AJAX) by modern javascript applications by leveraging unathenticated TLS with DHE ciphers (providing Perfect Forward Secrecy).
This could be realized by providing a "thin" layer of integration into any existing Javascript application to wrap the XHR/Ajax requests, proxying them trough a Javascript TLS Client, with some server-side code acting as a gateway/minimal TLS implementation working within an HTTP in HTTP tunnelling model.
If a techology like that would exists, it would be possible to integrate it as part of Wordpress or Django or other commonly used web framework/technology.
This would provide by default unauthenticated TLS encryption for most of it's web traffic, with perfect forward secrecy, without HTTPS.
I tried to summarize the idea on the Forge (Javascript TLS stack) github issue at https://github.com/digitalbazaar/forge/issues/84 .
I know that this kind of argument attract crypto-trolling ("Javascript encryption" and "Unauthenticated encryption" and "Opportunistic encryption") but i think that it's worth discussing because it could be a revolutionary approach to challenge massive wiretapping.
What does various people think about this approach?
One question: How does the javascript get to the browser without any interference from intermediate parties? Guido.