[cryptography] Browser JS (client side) crypto FUD
Tony Arcieri
bascule at gmail.com
Sat Jul 26 13:15:39 PDT 2014
On Sat, Jul 26, 2014 at 8:03 AM, Lodewijk andré de la porte <l at odewijk.nl>
wrote:
> Is surprisingly often passed around as if it is the end-all to the idea of
> client side JS crypto.
>
> TL;DR: It's a fantastic load of horse crap, mixed in with some extremely
> generalized cryptography issues that most people never thought about before
> that do not harm JS crypto at all.
>
What's in the Matasano article is common sense advice. It may seem
elementary for some. But you'd be surprised how many sites fit the pattern
the Matasano post describes, arguing that they can provide *better*
security by serving JavaScript crypto code over easily-MitMed plaintext
HTTP.
Here are a couple offenders...
#3 Google search result for "encrypted chat":
http://www.chatcrypt.com/
Not popular by Google results, but a similarly silly effort:
http://www.peersm.com/
--
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1710 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140726/033b5a27/attachment-0001.txt>
More information about the cypherpunks
mailing list