[cryptography] Introducing SC4 -- feedback appreciated

Tony Arcieri bascule at gmail.com
Fri Apr 17 21:59:16 EDT 2015


On Fri, Apr 17, 2015 at 4:25 PM, Ron Garret <ron at flownet.com> wrote:

> Why should anyone trust anyone’s web page?  When was the last time you
> obtained a software application that was *not* delivered via the web?
>

There's a big difference between a web page with JavaScript loaded in a
browser and a static artifact delivered over the HTTP protocol. Static
artifacts downloaded over HTTP by tools like apt-get or yum for example can
carry cryptographic signatures that are checked before the artifact is
used. In fact this same thing applies to browser extensions like Minilock
or Peerio. This means there's a transparent history of these artifacts, and
you can verify you got the same version as everyone else.

The same thing applies to every Smartphone app.

Short of a line-by-line source code audit each time you load a web page,
this isn't possible with the web today.

No.  SC4 was designed to support a wide variety of risk postures.  If you
> don’t trust my server, you can run SC4 from a standalone file on your own
> file system
>

How is this materially any different than "installing an app"? Especially a
Chrome App like Peerio. That's effectively what Chrome lets you do, except
such apps carry cryptographic signatures from their publishers, so you have
end-to-end security.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20150417/8bdd3e6a/attachment.html>


More information about the cryptography mailing list