W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > November 2012

Re: security of a client-side JS API?

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 1 Nov 2012 17:13:17 +0100
Message-ID: <CABcZeBMCSani3kRQLN1NSMVmfBkcN64=P6DrqG16ZTSWr3XtbA@mail.gmail.com>
To: "Arthur D. Edelstein" <arthuredelstein@gmail.com>
Cc: Zooko Wilcox-OHearn <zooko@leastauthority.com>, Ryan Sleevi <sleevi@google.com>, public-webcrypto-comments@w3.org
On Thu, Nov 1, 2012 at 4:39 PM, Arthur D. Edelstein
<arthuredelstein@gmail.com> wrote:
> Hi All,
>
> On Thu, Nov 1, 2012 at 3:24 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> As Zooko says, WebRTC provides a mechanism for establishing an
>> end-to-end cryptographically protected data channel (for those who
>> care, SCTP over DTLS. These channels can be created and accessed by
>> JS.
>
> Thanks for the suggestion about WebRTC. Please forgive my ignorance --
> if the WebRTC data channels can be accessed by client-side JS, doesn't
> that mean that messages can be read by the web app launching the
> channel?

Of course. Though note that WebRTC *does* provide for media displays
that aren't available to JS content. We just don't have any UI mechanisms
to support non-content text.

-Ekr
Received on Thursday, 1 November 2012 16:14:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 November 2012 16:14:30 GMT