[Cryptography] [cryptography] Browser JS (client side) crypto FUD

ianG iang at iang.org
Sat Aug 2 03:46:20 EDT 2014 

On 1/08/2014 17:51 pm, Tony Arcieri wrote:
> On Fri, Aug 1, 2014 at 4:33 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
> 
>     Well, no.  Implementing HTTPS:// is hard.  It is simply out of the cost
>     range of about 99% of the websites [0].  Otherwise they would.
> 
>     [0] old figures.  It used to be that around 1% of the websites used
>     HTTPS, no idea what it is now.
> 
>  
> [0] Citation needed


What part of "old figures" .. "no idea what it is now" do you not
understand?  Those numbers came from examination of SecuritySpace
figures and that other company.  They're out of date.


> Modern CPUs have crypto accelerators (e.g. AES-NI). https is cheaper
> than ever before.


The thing that upsets mass rollout of HTTPS is the configuration,
certificate, IP# and associated sysadm costs.  Only big-end merchants
grumble about the CPU costs, but they have always been able to afford it.


> The alternative is, what, everyone handroll their own JS crypto that
> only protects against passive attacks and easily folds when confronted
> with an active attacker?


Again, you're resting on the false argument of "see active attack, must
defend against active attack."


>     The fact that *you might be able to reach that high bar* is irrelevant.
>      What is relevant is the 2 decades of history that we have that says
>     clearly, HTTPS is simply too expensive.
> 
> 
> Since things like FireSheep made people aware of the use of unencrypted
> communications is dangerous, HTTPS has seen a massive proliferation in
> usage.

Citation needed ;)  Actually, you need that, otherwise it seems
nonsense.  I don't know anyone using FireSheep, how can it have made a
difference?  "Massive" ??


> Certain CDNs are contemplating making HTTPS a part of the base
> package rather than an add-on.


A start... 11 years after they should have acted, they are
"contemplating" ...  Impressive.

> So no, HTTPS cost and usage aren't problems. HTTPS is cheaper than ever
> to deploy and that trend will continue. The problem is people making
> silly excuses not to deploy HTTPS.


lol...

>     Yes, and they can make that argument.  HTTPS and PKI carries with it
>     some downsides such as vulnerability to CA-based attacks
> 
> 
> I thought we were talking about passive attacks

You introduced a different tack.


>     tracking,
> 
> 
> If you load some crypto JS over plaintext HTTP, a passive attacker can
> see you're doing this, and words like "crypto" might be interesting to
> their keyword analysis systems.
> 
> HTTPS would prevent this.


You're cherry picking :)  And, of course HTTPS will prevent the things
it is designed to prevent.  But ...


>     JS crypto is BTNS -- better than nothing security.
> 
> 
> So is ROT13


So is 40 bit SSL which would have stopped PM in 1995.  But the world
said it wasn't good enough so we fought the NSA for 128 bit, nothing but
128 bit dammit!!!  Look what we got...

If cypherpunks had had the smarts to shut the fluff up and let 40 bit
pervade the planet, then we'd have upgraded to 64 bit then 80 bit then
128 bit by now and the job would be done.

All-or-nothing means you probably get nothing.



iang

More information about the cryptography mailing list