[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Wed Mar 11 08:28:27 EDT 2015

On 3/11/15 1:10 PM, stef wrote:
>> GlobaLeaks it's designed to be a Whistleblowing framework that can be
>> used in very different context, from WildLife Crime Activism up to
>> Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland,
>> keeping the maximum level of security achievable for a specific context
>> of use.
> serbia sounds like a state level actor, and i heard that the publeaks people
> also get attention from the local services.
The reality is that each scenarios have it's own peculiarities, really,
it would be a very long and complex discussion that require few hours to
analyze each scenarios details.

PubLeaks in the Netherland has been deployed with Tails as "Leaktops"
for the journalists for end-point security, with GlobaLeaks being hosted
by a well-known third party within the activists community (GreenHost),
with servers deployed in a geo-political smart way, with service
contract done with the "PubLeaks Foundation" (a legal entity created on
purpose) to be resilient against certain kind of "legal threats".

OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage
"plausible deniability" by embedding GlobaLeaks within existing HTTPS
site (https://occrp.org) because plausible deniability has been
considered, after threat-modelling with the stakeholders, more relevant
than just saying "Hey, use Tor to access this .onion site" .

In Africa for AfriLeaks we're considering that, in certain country, it's
better to avoid using any Tails or Tor stuff, but better implement
deception strategies.

When you work supporting the many initiatives you'll just realize that
many time, the cryptographic/technical implementation side of a
Whistleblowing initiative's security, is a minor part and shall be
considered in a broader "Security" threat model.

Given that the picture is complex and variegate enough, we are providing
such a differentiated set of security levels, from a technical and
procedural point of view.

Consider that in most situation, when you consider significant threats,
only opsec procedures and stakeholder organization can provide some
degree of protection (or at least detection), with technology playing a
little role.

The way you work in a place where "The rule of law" is effective, it's
very different from working in a place where having an encrypted usb
stick with you can lead to Tortures.

Hope to have provided a broader view on how complex and complicated can
be our threat model, so that we must choose individual security choices
that enable use to provide a graduated/configurable level of security
(that could go up, being very strong, or go down, being more flexible).

Btw, that's not the goal of this thread, but i loved to articulate an
answer! :)

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi

More information about the cryptography mailing list