undefined | Better HN

0 pointsnwh12y ago0 comments

It always comes down to this; would you prefer security, or just something that makes you feel fuzzy? Crypto in JavaScript only gives the latter.

0 comments

4 comments · 1 top-level

nlacasse12y ago· 3 in thread

I disagree. Javascript cryptography can provide real security, it's just important to keep in mind what is being secured, and where the vulnerabilities are. Currently, js crypto is vulnerable in that its difficult to verify that the js a browser is running is the intented code.

Every day, millions of people are sending sensitive data over very insecure channels like email and DropBox because secure tools like PGP are to difficult for them or their friends to use. Clearly some security is better than none, as long as the limitations are known.

tptacek12y ago

This is like saying a sign that says "attackers keep out" provides real security, as long as you keep in mind that it only works if attackers obey the sign. After all, Dropbox doesn't have an "attackers keep out" sign!

Spooky2312y ago

It is a little better than that. What about an enterprise application where you have control/trust of the server, but want to securely cache data in offline browser storage.

That covers common scenarios, like people who provide web based access to Microsoft Exchange.

azakai12y ago

No, it's more like an imperfect lock is still more security than no lock at all on your door.

1 more reply

j / k navigate · click thread line to collapse