CloudFlare Keyless SSL WAS Re: Snowden on the Twitters

Travis Biehn tbiehn at
Wed Sep 30 08:50:41 PDT 2015

An oldie, somewhat OT.

I enjoyed CF's bit of engineering here - of course CF is still a point
where they are working with injectable plaintext. At least they don't have
your private key material.

What would be solid is if there were a browser module that did several
Eliminated JavaScript dynamic calls (eval, new function(), setTimeout,
setInterval, so on.)
Eliminate 3rd party assets.
Allowed web assets to be signed.
Allowed sets of web assets to be versioned (and attested to by 3rd parties.)

Dynamic HTML and JS (read, non-static HTML & JS) would not be supported.

The combination of signing, versioning and lack of dynamic features paves
the way for uninjectable, client-side in browser encryption/decryption.
Something AFAIK we cannot do today. Is anyone working on it?


On Wed, Sep 30, 2015 at 11:23 AM, Georgi Guninski <guninski at>

> On Wed, Sep 30, 2015 at 01:26:18AM -0400, grarpamp wrote:
> >
> How this scores on twatter:
> 1.03 meeelion followers for about 23 hours on twatter?
> (not sure about the error terms).

Twitter <> | LinkedIn
<> | GitHub <>
| <> | Google Plus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2424 bytes
Desc: not available
URL: <>

More information about the cypherpunks mailing list