[cryptography] Browser JS (client side) crypto FUD

Tony Arcieri bascule at gmail.com
Sat Jul 26 16:15:39 EDT 2014


On Sat, Jul 26, 2014 at 8:03 AM, Lodewijk andré de la porte <l at odewijk.nl>
wrote:

> Is surprisingly often passed around as if it is the end-all to the idea of
> client side JS crypto.
>
> TL;DR: It's a fantastic load of horse crap, mixed in with some extremely
> generalized cryptography issues that most people never thought about before
> that do not harm JS crypto at all.
>

What's in the Matasano article is common sense advice. It may seem
elementary for some. But you'd be surprised how many sites fit the pattern
the Matasano post describes, arguing that they can provide *better*
security by serving JavaScript crypto code over easily-MitMed plaintext
HTTP.

Here are a couple offenders...

#3 Google search result for "encrypted chat":

http://www.chatcrypt.com/

Not popular by Google results, but a similarly silly effort:

http://www.peersm.com/

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20140726/033b5a27/attachment.html>


More information about the cryptography mailing list