[Cryptography] [cryptography] Browser JS (client side) crypto FUD
Tony Arcieri
bascule at gmail.com
Thu Jul 31 12:47:45 EDT 2014
On Thu, Jul 31, 2014 at 2:00 AM, ianG <iang at iang.org> wrote:
> No, you're prioritising an active attack as more frequent and more
> harmful than a passive attack.
>
Sure, passive data collection is a big problem too, but these systems offer
"security" when they aren't being attacked. It's trivial for anyone with a
privileged network position (e.g. your barista) to attack them.
Simply using https:// would prevent many active attacks. It isn't a lot of
effort to implement... certainly a lot less than hand rolling a bunch of JS
crypto.
Some of these sites are arguing that they're *more* secure by *not* using
https o_O
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140731/976fafeb/attachment.html>
More information about the cryptography
mailing list