[cryptography] Introducing SC4 -- feedback appreciated

Ben Laurie ben at links.org
Sat Apr 18 10:28:26 EDT 2015


On 18 April 2015 at 00:51, Tony Arcieri <bascule at gmail.com> wrote:
> On Fri, Apr 17, 2015 at 11:56 AM, Ron Garret <ron at flownet.com> wrote:
>>
>> The fact that to use PGP you have to install an application.  (This is
>> true for Peerio as well.)  That turns out to be too much friction for most
>> people.  Whenever you have to install an application you have to decide
>> whether or not you trust the application, and most people have no basis for
>> making that assessment.
>
>
> Why should anyone trust your web page? Do you expect people to audit the
> source code every time they use it? If they don't, perhaps you made a change
> which exfiltrates the plaintext to your personal server. Perhaps you
> targeted a single person, and everyone else sees the "real version"
>
> This is why web pages aren't trustworthy for cryptographic purposes.
>
> I wrote a blog post on this topic:
>
> http://tonyarcieri.com/whats-wrong-with-webcrypto

This is why we need Binary Transparency (for web pages, in this case).

The same problem exists for all executables, of course.


More information about the cryptography mailing list