undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointslucian190014y ago0 comments

No, it's not fair to say that at all. The website can MITM you at any time, even without changing the crypto code it sends you.

Native crypto clients don't have this particular vulnerability.

0 comments

4 comments · 1 top-level

wwwtyro14y ago· 3 in thread

> The website can MITM you at any time, even without changing the crypto code it sends you.

I am not following you. If they send you the code, can't you inspect it? And if you vet it, where's the concern for the MITM attack? You already have the code.

> Native crypto clients don't have this particular vulnerability.

Isn't it exactly the same? You have to download the code at some point.

lucian1900OP14y ago

The website or any of the domains it includes JS from can at any time inject some JS into your page, which could maybe replace AES with Base64, or anything else it wished to do.

Native crypto clients don't arbitrarily download code from several domains every time you turn on your app.

lucian1900OP14y ago

And I forgot to add, there's no way you can protect against other side-channel attacks like timing attacks. JS as it is today makes it impossible.

wwwtyro14y ago

Yeah, but you have the code. You could see if they were doing that.

j / k navigate · click thread line to collapse