[Cryptography] Browser JS (client side) crypto FUD

Theodore Ts'o tytso at mit.edu
Sat Jul 26 14:57:28 EDT 2014


On Sat, Jul 26, 2014 at 05:03:46PM +0200, Lodewijk andré de la porte wrote:
> 
> "WHAT'S THE "CHICKEN-EGG PROBLEM" WITH DELIVERING JAVASCRIPT CRYPTOGRAPHY?
> 
> If you don't trust the network to deliver a password, or, worse, don't
> trust the server not to keep user secrets, you can't trust them to deliver
> security code. The same attacker who was sniffing passwords or reading
> diaries before you introduce crypto is simply hijacking crypto code after
> you do."

I think it's a bit more complicated than you're making it out to be.
Ultimately, the nearly all of the software that people run come from
the network, at one time or another.  Even if you are using gpg
running on your linux laptop, where did you get your copy of gpg and
the Linux OS?  Odds are, you got it over the network.  But I don't
think that's necessarily a reason to throw up our hands and give up,
saying all is lost.  If your packaging system has reproducible builds,
then it becomes possible for independent audits to check out various
critical bits of code, and it becomes possible for people to determine
that the binary package which they installed corresponded with the
version that was audited.  And even if not everyone does this, the
fact that it is possible for spot checks to reveal a rat significantly
decreases the chances that an APT such as the NSA would be willing
potentially try the attack, lest they get caught red handed.

How does this apply to javascript cryptography?  Well, if you are
using something like a Chrome Extension, or a Firefox plugin, where
the crypto is executing in the browser context, but it is downloaded
once and then used multiple times, this becomes very similar the
version of a gpg getting downloaded once onto your laptop and then
used multiple times.  It's no more or less secure than a version of
gpg downloaded from your network and installed on your Mac or Linux
laptop.

Like it or not, the vast majority of people are using some kind of web
based e-mail, whether it's GMail or Yahoo Mail or Hotmail, or
something else.  And if the crypto is being done in a browser
plugin/extension, the advantage is that if you downloaded the
plugin/extension *before* Google or Yahoo or Microsoft is served with
a search warrant or FISA order, you are far more secure than if your
data is stored on third party server for which you have no control and
for which if the search warrant is served against the third party,
they can be also served with a gag order not to tell you.

Could this be hacked?  Sure, just as Red Hat or Debian could be forced
to give you (and only you) an updated gpg package that had a backdoor.
But this is far more observable, and I suspect that Red Hat and Debian
would have for more legal ground to contest, and far more interest in
contesting in court, a order to knowingly install malware on a
customer's machine.  That is significantly different from simply
turning over information, and it also signicantly increases the
chances that the installation of the malware would be noticed and
traced back.

Cheers,

							- Ted


More information about the cryptography mailing list