[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU/consensus] PGP as web standard
|
From: |
carlo von lynX |
|
Subject: |
Re: [GNU/consensus] PGP as web standard |
|
Date: |
Tue, 30 Dec 2014 03:11:06 +0100 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On Thu, Dec 11, 2014 at 05:13:36AM +0300, senya wrote:
> Have you ever though of necessity of realizing end-to-end encryption as
> part of web standard? Do you think it is possible to push? Maybe it is
It has been done. Web Crypto API is being deployed. It is a terrible
idea that Eleanor Saitta and I have heavily criticized in the
respective W3C mailing lists because there is no way on earth that
servers can be trusted to deliver the correct HTML and Javascript
such that end-to-end encryption will actually take place - therefore
it is giving false promises to users. There is no privacy gain
compared to using HTTPS and having the server handle the data
since users would never be able to tell when their trust is broken.
> nevertheless possible to implement end-to-end encryption with some
> javascript using some extra security and isolation measures? Or maybe
> you have some other ideas how to implement it, that I didn't think of?
Since the web browser by definition shows what the server tells it
to show, the user cannot tell by looking at the web's user interface
if it is doing crypto in the browser or not.
The web is only safe when the server is "localhost" - and even that
is hard to hammer into user's heads.
--
http://youbroketheinternet.org
ircs://psyced.org/youbroketheinternet