W3C home > Mailing lists > Public > public-identity@w3.org > September 2011

Re: Javascript Cryptography Considered Harmful

From: John Kemp <john@jkemp.net>
Date: Wed, 21 Sep 2011 16:12:30 -0400
Cc: Henry Story <henry.story@bblfish.net>, public-identity@w3.org
Message-Id: <AAF564C7-5863-4852-A7EE-4D015E2E457E@jkemp.net>
To: David Dahl <ddahl@mozilla.com>
On Sep 21, 2011, at 3:55 PM, David Dahl wrote:

> I provided feedback through this blog post: http://monocleglobe.wordpress.com/2011/08/30/javascript-and-crypto/

One of the concerns of the blog post is that if you trust the server to deliver you code for doing crypto, why don't you trust the server to "just" do SSL? 

In the DOMCrypt proposal, can an origin generate a key and tell the client to use it? If so, how does that deal with the MITM which tells the browser to create a key for some origin, and then encrypt the user's password and send it to the server with that origin?


- John

> Regards,
> David
> ----- Original Message -----
> From: "Henry Story" <henry.story@bblfish.net>
> To: public-identity@w3.org
> Sent: Wednesday, September 21, 2011 2:22:52 PM
> Subject: Javascript Cryptography Considered Harmful
> An interesting article. I have not yet read it through in detail. I was wondering what people made of it here.
> http://www.matasano.com/articles/javascript-cryptography/
> Henry
> Social Web Architect
> http://bblfish.net/
Received on Wednesday, 21 September 2011 20:14:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 21 September 2011 20:14:12 GMT