From: Melvin Carvalho [mailto:melvincarvalho@gmail.com] > Firstly, HTTP isnt always insecure, it can be, but is not always HTTP is always insecure by definition. The insecure transport is not always being *attacked*, but you have literally no way of knowing whether you're being attacked or not, so for all practical purposes you must always assume an attack. > Some of the functions in web crypto such as SHA256, or even AES, are useful over HTTP They are not useful if the network attacker overrides `window.crypto.subtle.*` to replace your SHA256 funcitonality with the identity function, or with a function that does a pass-through after sending the data to a remote server, or...Received on Wednesday, 10 December 2014 17:32:32 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC