Re: Javascript Cryptography Considered Harmful

On Sep 21, 2011, at 3:55 PM, David Dahl wrote:

> I provided feedback through this blog post: http://monocleglobe.wordpress.com/2011/08/30/javascript-and-crypto/

One of the concerns of the blog post is that if you trust the server to deliver you code for doing crypto, why don't you trust the server to "just" do SSL? 

In the DOMCrypt proposal, can an origin generate a key and tell the client to use it? If so, how does that deal with the MITM which tells the browser to create a key for some origin, and then encrypt the user's password and send it to the server with that origin?

Regards,

- John

> 
> Regards,
> 
> David
> 
> ----- Original Message -----
> From: "Henry Story" <henry.story@bblfish.net>
> To: public-identity@w3.org
> Sent: Wednesday, September 21, 2011 2:22:52 PM
> Subject: Javascript Cryptography Considered Harmful
> 
> An interesting article. I have not yet read it through in detail. I was wondering what people made of it here.
> 
> http://www.matasano.com/articles/javascript-cryptography/
> 
> Henry
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 

Received on Wednesday, 21 September 2011 20:14:11 UTC