undefined | Better HN

0 pointsjcul2y ago0 comments

I mean the concept of generating a private / public key pair and sharing a public key is pretty sound.

If your browser is compromised or can't be trusted then you have bigger problems.

But if we assume this site can be trusted not to send secrets online (which is easy to verify) and they are not rolling their own crypto primitives in javascript, then the idea is pretty sound imo.

Personally I would use gpg or openssl for this, but it's not that easy for non-technical users.

0 comments

1 comments · 1 top-level

akerl_2y ago

> But if we assume this site can be trusted not to send secrets online (which is easy to verify)

This would require every sender and recipient to read and understand the JavaScript on every page load, because there’s no guarantee that the server is sending every request the same content. It is in fact not easy, especially for non technical users.

If we’re just assuming the site is trustworthy, the public key crypto isn’t necessary. If the site isn’t trustworthy, the public key crypto isn’t secure, because the site is in a position to compromise the private keys.

j / k navigate · click thread line to collapse