[Bug 25385] clear key cannot provide basic protection, why not considering web cryptography API from bugzilla@jessica.w3.org on 2014-04-30 (public-html-bugzilla@w3.org from April 2014)

From: <bugzilla@jessica.w3.org>
Date: Wed, 30 Apr 2014 05:19:27 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-25385-2486-RMYx9RiCtD@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25385

--- Comment #6 from GEXIN1984@GMAIL.COM ---
(In reply to Mark Watson from comment #3)
> I agree with David. Suggest WONTFIX.
> 
> If a site uses HTTPS, the key can be delivered to the client JS in a way
> that is secure against an active MITM attack. The difficulty for the user to
> obtain the key is about the same for this case as for the proposed use of
> WebCrypto.

I can't agree with you. HTTPS can protect the key against MITM attack. But the
user can easily get key by reading JS source code. This is the bug I raised. I
want to propose a method to solve the bug, but HTTPS cannot.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 30 April 2014 05:19:28 UTC