undefined | Better HN

0 pointstptacek15y ago0 comments

Yes. You are right. It is the problem with pretty much everything. The issue here is that you haven't solved that problem. So your application is no more secure than anything.

0 comments

celoyd15y ago

No. Assuming it’s correctly implemented, it’s more secure than an identical app that sends the password over SSL to the server.

This is not an innovation in cryptographic theory, but it’s something you don’t usually see in a web app.

tptacekOP15y ago

It's something you don't see in web apps because the idea has been roundly rejected. Because in almost every setting where you could possibly implement crypto in JS, you have to run the app over HTTPS anyways, you gain only epsilon more security than if you would without added crypto --- and that's if you get everything right.

celoyd15y ago

Sure. As this is designed now, HTTPS’s prevention of malicious JS insertion is the big weak point I see. But it’s implicitly asking what you could do if you found ways of getting around that, for example by using client-side caches of the code after a strict initial check.

The real wow for me here is that JS is fast enough to do AES-128 at comfortable chat speed. That’s really suggestive. It’s an epsilon, but it’s a fertile and interesting epsilon.

1 more reply

j / k navigate · click thread line to collapse

0 comments

celoyd15y ago

No. Assuming it’s correctly implemented, it’s more secure than an identical app that sends the password over SSL to the server.

This is not an innovation in cryptographic theory, but it’s something you don’t usually see in a web app.

tptacekOP15y ago

celoyd15y ago

The real wow for me here is that JS is fast enough to do AES-128 at comfortable chat speed. That’s really suggestive. It’s an epsilon, but it’s a fertile and interesting epsilon.

1 more reply

j / k navigate · click thread line to collapse