On 29/11/15 11:20, "Walter H." <Walter.H@mathemainzel.info> wrote: >On 28.11.2015 03:43, Martin Thomson wrote: >> On 26 November 2015 at 20:48, Walter H.<Walter.H@mathemainzel.info> >>wrote: >>> can someone tell me REAL USEFUL use case where someone would need >>> this way of having something encrypted on a webserver? >> >> The two use cases where this is likely to appear in the short term are: >> >> 1. web push - where an encrypted resource is created on a server by >> one entity and retrieved by another. The server doesn't get to see >> the contents. >I'd say this is the wrong answer, this can be done alternativly as used >to do >(pushing an encrypted .rar or .zip is exactly this use case with >advantage, >there is no implicit malware impact ...) > >for security reason exactly this way you mentioned must be forbidden; >there mustn't be a way pushing malware to a server, >which the server itself has no possibility to clean it ... Using .rar or .zip for encryption is not an option. Not only are they proprietary, non-standardized compression algorithms, the encryption parts are based on passwords and at least the .zip encryption is seriously flawed… > >> 2. blind caching - the same as in web push actually. An origin server >> uses an untrusted cache and wants to encrypt data so that the cache >> can't modify or view the content. >as I think this is a security hole, too. > >now where is a REAL USEFUL use case? > >
Received on Monday, 30 November 2015 07:45:47 UTC