[cryptography] Introducing SC4 -- feedback appreciated

Tony Arcieri bascule at gmail.com
Fri Apr 17 18:51:23 EDT 2015


On Fri, Apr 17, 2015 at 11:56 AM, Ron Garret <ron at flownet.com> wrote:

> The fact that to use PGP you have to install an application.  (This is
> true for Peerio as well.)  That turns out to be too much friction for most
> people.  Whenever you have to install an application you have to decide
> whether or not you trust the application, and most people have no basis for
> making that assessment.


Why should anyone trust your web page? Do you expect people to audit the
source code every time they use it? If they don't, perhaps you made a
change which exfiltrates the plaintext to your personal server. Perhaps you
targeted a single person, and everyone else sees the "real version"

This is why web pages aren't trustworthy for cryptographic purposes.

I wrote a blog post on this topic:

http://tonyarcieri.com/whats-wrong-with-webcrypto

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150417/191e07d2/attachment.html>


More information about the cryptography mailing list