[Cryptography] [cryptography] Browser JS (client side) crypto FUD

Tom Mitchell mitch at niftyegg.com
Fri Aug 29 23:12:00 EDT 2014


On Thu, Jul 31, 2014 at 9:47 AM, Tony Arcieri <bascule at gmail.com> wrote:

> On Thu, Jul 31, 2014 at 2:00 AM, ianG <iang at iang.org> wrote:
>
>> No, you're prioritising an active attack as more frequent and more
>> harmful than a passive attack.
>>
>
> Sure, passive data collection is a big problem too, but these systems
> offer "security" when they aren't being attacked. It's trivial for anyone
> with a privileged network position (e.g. your barista) to attack them.
>
> Simply using https:// would prevent many active attacks. It isn't a lot
> of effort to implement... certainly a lot less than hand rolling a bunch of
> JS crypto.
>
>
Recently in the JS world there was a bit of a thing over common math
functions.  On one camp was
a group happy to give limited accuracy and precision for reasons of speed
as measured in some
benchmark.  In another camp accuracy and precision expectations are well
set by C, Fortran and
other computer languages.

These math functions are not JS but native code linked to the binary as a
JS function.
While folk explore how to design some JS crypto functionality others should
look hard
at functions that could be bound into the browser as valuable primitives in
the way Math.random()
math.cos() and friends are.

Perhaps I am wrong but code found in CSS pages is easier to abused by men
in the middle
while a local static binary would have a more limited attack surface and
could also be tested
by near and far html pages.





-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140829/3763794a/attachment.html>


More information about the cryptography mailing list