[cryptography] Repeated Encryptions Considered.... ?

Steven Bellovin smb at cs.columbia.edu
Sun Jun 19 17:49:27 EDT 2011

On Jun 19, 2011, at 5:36 05PM, Marsh Ray wrote:

> On 06/18/2011 10:44 PM, Tom Ritter wrote:
>> I got in a discussion recently about this, in the specific case of
>> encrypting something in javascript, and then again in SSL.  Trying to
>> avoid the argument over javascript crypto I thought it was absurd that
>> NOT using SSL was a reasonable decision.  The response was the 'don't
>> double encrypt' argument, without any real facts to back it up.
> Now I've heard everything. Javascript crypto proponents using it as an argument against SSL. Tell them that they should use SSL properly and consider that an argument against Javascript crypto instead. And hold on to your wallet.

They solve different problems, at least if used correctly.  SSL secures
the channel; Javascript secures (or can secure) the transmitted object itself.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list