[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?

Fabio Pietrosanti (naif) - lists lists at infosecurity.ch
Sun Mar 15 08:08:48 EDT 2015

On 3/15/15 12:45 PM, stef wrote:
>> Check the Threat Model link on https://globaleaks.org in the footer to
>> get a better insight.
> i now understand why you did not link this directly:
> https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub
> seriously on google? your threatmodel seems indeed quite limited.
> you should be much more open about your limits.
Stef, don't troll! :-)

In most places in the world Whistleblowing is done by sending email over
gmail, that's the reality you have to live with.

To be  more realistic, from several investigative journalism groups
we've been told that many sources use directly Facebook over the
Facebook Pages as a preferred way to share confidential information.

When you look at the reality, you need to *fly down from the moon to the
earth* and be realistic on what can be done, finding the right tradeoff.

That's what real-world security is, a tradeoff between what can be
acceptable to achieve a "Safe Enough" level compared to the current

If you only think "techy" and only think "radical", then you'll not
achieve any security and safety improvement.

If you understand real-life context of use, focusing on bringing the
best security that they can effectively leverage for their context of
operation, then you're making them safer.

Perfectly safe? No. 

But it's just hypocrisy to think that technology can gives perfect
safety, as technology it's only "part" of the picture.

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi

More information about the cryptography mailing list