[Cryptography] [cryptography] Browser JS (client side) crypto FUD
ianG
iang at iang.org
Thu Jul 31 05:00:32 EDT 2014
On 30/07/2014 07:09 am, Tony Arcieri wrote:
> On Tue, Jul 29, 2014 at 6:53 AM, Lodewijk andré de la porte
> <l at odewijk.nl <mailto:l at odewijk.nl>> wrote:
>
> JavaScript cryptography is possible, there are usecases, and it is
> /definitely/ /not /"considered harmful" by default.
>
>
> By default you aren't using HTTPS, HSTS, and CSP. Without these things,
> doing cryptography in a web page is most definitely harmful and insecure.
No, you're prioritising an active attack as more frequent and more
harmful than a passive attack.
As we now know, passive attack is a certainty and active attacks are rare.
(The question of 'harm' still lacks data...)
iang
More information about the cryptography
mailing list