[cryptography] Introducing SC4 -- feedback appreciated
ron at flownet.com
Fri Apr 17 22:38:50 EDT 2015
On Apr 17, 2015, at 6:59 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Fri, Apr 17, 2015 at 4:25 PM, Ron Garret <ron at flownet.com> wrote:
> Why should anyone trust anyone’s web page? When was the last time you obtained a software application that was *not* delivered via the web?
> The same thing applies to every Smartphone app.
> Short of a line-by-line source code audit each time you load a web page, this isn't possible with the web today.
It’s not quite that bad. You only have to audit the code once, and then verify that what you’re running is the same as what you audited. It’s true that there is a real problem here, but it’s not quite as bad as you describe. (And, it is worth noting, it is a political problem, not a technical one. There is no technical obstacle to defining and implementing a signature verification protocol for web pages. In fact, you could even implement a secure script loader using SC4. Hm, there’s an idea :-)
> No. SC4 was designed to support a wide variety of risk postures. If you don’t trust my server, you can run SC4 from a standalone file on your own file system
> How is this materially any different than "installing an app”?
It isn’t any different. That’s the whole point. If you want the security of a local app you can have that. If you want the convenience of a web app at the cost of having to trust the server, you can have that too.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography