W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: WebCrypto Security Analysis

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Wed, 26 Mar 2014 01:29:25 +0100
Message-ID: <53321F65.8080006@gmail.com>
To: Oliver Hunt <oliver@apple.com>
CC: Mark Watson <watsonm@netflix.com>, Ryan Sleevi <sleevi@google.com>, Richard Barnes <rlb@ipv.sx>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>, Kelsey Cairns <kelsey.cairns@inria.fr>
Maybe you did not read everything ("with https, a kind of artifice..."), 
that's exactly what I am saying.



Le 25/03/2014 19:06, Oliver Hunt a écrit :
> On Mar 25, 2014, at 7:49 AM, Aymeric Vitte <vitteaymeric@gmail.com> wrote:
>> This thread shows that maybe someone should then ask Mozilla to change its policy.
>> As explained in [1] Presentation "Why the main page is not using https", we are forced to use http to load the main page
> It doesn’t matter if you try to load subsequent code over https - the moment any content is distributed over http any subsequent secure loads are irrelevant because an attacker can already replace your content with whatever they choose.  WebCrypto does not save you.
> —Oliver

Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Received on Wednesday, 26 March 2014 00:30:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:02:41 UTC