[Cryptography] Browser JS (client side) crypto FUD

Tom Mitchell mitch at niftyegg.com
Sat Jul 26 16:32:29 EDT 2014


On Sat, Jul 26, 2014 at 8:03 AM, Lodewijk andré de la porte <l at odewijk.nl>
wrote:

> http://matasano.com/articles/javascript-cryptography/
>
>
Interesting...
I think all of his points and issues are worth researching
but he misses one important bit ---

   *  Browser based email is the current game of choice and any improvement
is important.

For Google and most others POP and IMAP are a key
part of the landscape and can remove the browser and
JS from the mix.

For phones the browser is commonly replaced with an application
again removing JS from the customer side of actions.

These all imply interoperability with any browser based tool set
which also implies that non-browser traffic flowing through the service
should be identical to any third party pair of eyes.

  B=Browser
  A=Application
  C=Classic Mail
  etc...

  A <=m=> A
  A <=m=> B
  B <=m=> B
  ....
  C <=m=> C
  etc...

This interoperability  matrix makes it moderately possible
to ignore his objections for the vast majority.  The others
can elect to not use browser based tools.   The =m= is
a man in the middle.   Does this observer see anything
interesting and different?

One interesting permutation is <=g=> with Google in the middle
  Ag <=g=> Ag
Google application to Google application all contained inside
of Google.

  An <=+=> An
This might be an Application authored by the NSA connection to
a paired application also by NSA with any number (+) onlookers in the
middle.





-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140726/bafab717/attachment.html>


More information about the cryptography mailing list