[liberationtech] Defeating massive wiretapping with opportunistic, unauthenticated encryption in HTTP ?
Guido Witmond
guido at witmond.nl
Mon Oct 28 07:14:02 PDT 2013
On 10/26/13 11:02, Fabio Pietrosanti (naif) wrote:
> Greetings,
...
> The idea to fix this problem by creating a technology that enable
> opportunistic encryption of all data exchanged (via AJAX) by modern
> javascript applications by leveraging unathenticated TLS with DHE
> ciphers (providing Perfect Forward Secrecy).
>
> This could be realized by providing a "thin" layer of integration into
> any existing Javascript application to wrap the XHR/Ajax requests,
> proxying them trough a Javascript TLS Client, with some server-side code
> acting as a gateway/minimal TLS implementation working within an HTTP in
> HTTP tunnelling model.
>
> If a techology like that would exists, it would be possible to integrate
> it as part of Wordpress or Django or other commonly used web
> framework/technology.
>
> This would provide by default unauthenticated TLS encryption for most of
> it's web traffic, with perfect forward secrecy, without HTTPS.
>
> I tried to summarize the idea on the Forge (Javascript TLS stack) github
> issue at https://github.com/digitalbazaar/forge/issues/84 .
>
> I know that this kind of argument attract crypto-trolling ("Javascript
> encryption" and "Unauthenticated encryption" and "Opportunistic
> encryption") but i think that it's worth discussing because it could be
> a revolutionary approach to challenge massive wiretapping.
>
> What does various people think about this approach?
>
One question: How does the javascript get to the browser without any
interference from intermediate parties?
Guido.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20131028/6cded0a7/attachment-0002.sig>
More information about the cypherpunks
mailing list