[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

stef s at ctrlc.hu
Wed Mar 11 08:38:09 EDT 2015

On Wed, Mar 11, 2015 at 01:28:27PM +0100, Fabio Pietrosanti (naif) - lists wrote:
> > serbia sounds like a state level actor, and i heard that the publeaks people
> > also get attention from the local services.
> The reality is that each scenarios have it's own peculiarities, really,
> it would be a very long and complex discussion that require few hours to
> analyze each scenarios details.

let's stick with the webcrypto aspect, and the fact that both governments
control their own CA in the browsers. the dutch CA being even historically
shared with some other parties.

> PubLeaks in the Netherland has been deployed with Tails as "Leaktops"
> for the journalists for end-point security, with GlobaLeaks being hosted
> by a well-known third party within the activists community (GreenHost),
> with servers deployed in a geo-political smart way, with service
> contract done with the "PubLeaks Foundation" (a legal entity created on
> purpose) to be resilient against certain kind of "legal threats".

how does that protect against active covert attacks? luckily parallel
constructions will save your conscience from feeling responsible.

> OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage
> "plausible deniability" by embedding GlobaLeaks within existing HTTPS
> site (https://occrp.org) because plausible deniability has been
> considered, after threat-modelling with the stakeholders, more relevant
> than just saying "Hey, use Tor to access this .onion site" .

how is using stuff over ssl in the country where the adversary controls a
local CA plausible deniability? 

> When you work supporting the many initiatives you'll just realize that
> many time, the cryptographic/technical implementation side of a
> Whistleblowing initiative's security, is a minor part and shall be
> considered in a broader "Security" threat model.


> Given that the picture is complex and variegate enough, we are providing
> such a differentiated set of security levels, from a technical and
> procedural point of view.

so you allow your clients to shoot themselves in the foot.

> The way you work in a place where "The rule of law" is effective, it's

that's a quite bold assumption even in europe today :/

otr fp: https://www.ctrlc.hu/~stef/otr.txt

More information about the cryptography mailing list