[cryptography] Introducing SC4 -- feedback appreciated

stef s at ctrlc.hu
Fri Apr 17 14:21:45 EDT 2015


On Fri, Apr 17, 2015 at 10:56:01AM -0700, Ron Garret wrote:
> 1.  It is a standalone web application.

putting keys in the browser is like putting keys in front of a dmz. browsers
are not designed for this, they are designed for delivering impressions and
services to you. the security features you find in any browser are there to
secure the revenue-stream of some companies, not for the protection of the
interests of its users. (same goes for phones), the tool might be good
(haven't checked), but the foundation it's built on is sand. you want to
isolate your keys, current end-host security does not provide much protection
against some malware in case recovery of your keys becomes a priority. you
also want to make sure the code running is authentic, with js delivered over
the net this is quite hard to do verifiably (again, not your protection,
industry revenues are the thing to protect).


More information about the cryptography mailing list