Re: security of a client-side JS API?

Hi All,

On Thu, Nov 1, 2012 at 3:24 AM, Eric Rescorla <> wrote:
> As Zooko says, WebRTC provides a mechanism for establishing an
> end-to-end cryptographically protected data channel (for those who
> care, SCTP over DTLS. These channels can be created and accessed by
> JS.

Thanks for the suggestion about WebRTC. Please forgive my ignorance --
if the WebRTC data channels can be accessed by client-side JS, doesn't
that mean that messages can be read by the web app launching the

My concern is that browsers currently provide nothing out-of-the-box
for users who want encrypted communications that cannot be read by a
web app provider. This situation has resulted in a rampant online
privacy problem, as I'm sure everyone here is very aware.

Many users are going to perhaps have difficulty understanding the
nuance that the WebCrypto API doesn't give stronger privacy
protections than existed before. So I'm struggling to see the benefits
of a new crypto functionality for web apps that may require users to
make new security decisions (such as providing keys or signing

Best regards,

Received on Thursday, 1 November 2012 15:40:05 UTC