[cryptography] Introducing SC4 -- feedback appreciated

Ron Garret ron at flownet.com
Fri Apr 17 15:14:40 EDT 2015


On Apr 17, 2015, at 12:04 PM, stef <s at ctrlc.hu> wrote:

> On Fri, Apr 17, 2015 at 11:56:48AM -0700, Ron Garret wrote:
>> On Apr 17, 2015, at 11:27 AM, Dominik Schuermann
>> <dominik at dominikschuermann.de> wrote:
>>> what problem of traditional PGP implementations did you solve?
>> 
>> The fact that to use PGP you have to install an application.  (This is true
>> for Peerio as well.)  That turns out to be too much friction for most
>> people.  
> 
> that is actually true and sad, instead of new webapps, maybe the focus should
> be on multi-platform installers.
> 
>> Whenever you have to install an application you have to decide
>> whether or not you trust the application,
> 
> i don't see how this decision is not made in the sc4 case

It’s not that you don’t have to make the decision, it’s that the decision is easier (I claim) to make for SC4 than any alternative.  Because SC4 is a web app it is necessarily delivered as source code.  And the code is really, really small (have you looked at it?) so there just aren’t many places for shenanigans to hide.

With regards to your earlier comment about putting keys in browsers, I don’t disagree with you that browsers are not the ideal venue for security applications.  However, I claim they’re not as bad as the conventional wisdom would have you believe.  LocalStorage for HTTPS URLs is reasonably secure, and SC4’s strategy of embedding keys in local copies of itself is also not horrible.  I claim that any attack that can compromise SC4’s keys will also compromise a whole slew of other things that people generally rely on to be secure.  I’m not making any claims about whether people are wise to rely on these things, only that SC4 is no worse that what people are already using for things like on-line banking.

rg



More information about the cryptography mailing list