[Bug 25385] clear key cannot provide basic protection, why not considering web cryptography API

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25385

--- Comment #6 from GEXIN1984@GMAIL.COM ---
(In reply to Mark Watson from comment #3)
> I agree with David. Suggest WONTFIX.
> 
> If a site uses HTTPS, the key can be delivered to the client JS in a way
> that is secure against an active MITM attack. The difficulty for the user to
> obtain the key is about the same for this case as for the proposed use of
> WebCrypto.

I can't agree with you. HTTPS can protect the key against MITM attack. But the
user can easily get key by reading JS source code. This is the bug I raised. I
want to propose a method to solve the bug, but HTTPS cannot.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 30 April 2014 05:19:28 UTC