Re: security of a client-side JS API?

On 11/1/12 10:13 AM, "Richard L. Barnes" <<>> wrote:

I think End-to-End encryption is easily implementable with current webcrypto
API spec.
My feeling is that truly private, end-to-end encryption using the
WebCrypto API (or indeed any JS crypto library) is only possible if
implemented in an open-source browser extension, such as Cryptocat. As
far as I can tell, it is not possible in a web app using the WebCrypto
standardization for E2E is diffucult issue.
Probably, but some reasonably simple standards should be possible. For
example, encrypting/decrypting text and encrypting/decrypting files
look like two relatively simple and fairly general use cases.
Best regards,

If you don't trust the downloaded JavaScript, why are you using a web app?  If you have to download a browser extension, then you might as well install a dedicated application.  ISTM that your definition of E2E is not really germane to this working group.

Exactly my opinion  as well. Well said.


Received on Thursday, 1 November 2012 21:18:47 UTC