Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Peer-review required: SwaTwt and TweedleDH

Steve Weis steveweis at
Wed Sep 29 10:08:50 PDT 2010

I gave some constructive criticism directly, but it mostly echoes what
you already wrote.

In light of Haystack, I think it's important that security questions
about live systems are raised early and loudly. There are
non-technical readers of this list and you don't know who might start
using that site. I encouraged Mr. Zzzzen to highlight that the site is
for test purposes only.

In fairness, I have collaborated on an experimental privacy-related
project called PseudoID where the live demo code uses client-side
Javascript crypto. The site has a warning that says it is for demo
purposes. The corresponding paper discusses all the security issues
why it's not ready for practice and the future work that would need to

One of the future areas of work was to build crypto support into a
browser plug-in or extension. There is work being done on client-side
crypto for HTML5, similar to client-side storage, that is promising.
Support would be built into compatible browsers and accessible via
calls in Javascript.

On Tue, Sep 28, 2010 at 8:07 PM, Daniel Colascione
<dan.colascione at> wrote:
> First off, I don't think SwaTWT is particularly *useful*. Sending an
> encrypted message is a solved problem: use PGP or OTR. These systems are
> infinitely better than plain old (unauthenticated!) symmetric cryptography.
> That said, constructive criticism is better than sternly shooting down a
> well-meaning novice; at least he asked for someone to review his work.
> If you pin his ears back, you're just teaching him to not ask for input
> next time.

More information about the liberationtech mailing list