Search Mailing List Archives
wasabee18 at gmail.com
Tue Jun 18 13:13:05 PDT 2013
why does everyone want to trust yet another third party to encrypt data
on their behalf :)?
if u want to encrypt stuff, u should do it on ur machine. Maybe what
people should be searching for is an easy-to-use, audited and open
source stack to do it.
if we are too lazy to do it ourselves and want to outsource it to an
online service; this we dont really value ourprivacy after all. there is
no gain without a little pain.
On 18/06/2013 21:05, Steve Weis wrote:
> It's not safe.
> This is their bookmarklet:
> site, which can be changed at any time and compromise your messages
> without your knowledge.
> The actual call to encrypt data is here:
> hmac = hex_hmac_sha1(key, _this.text);
> hmac += hmac.slice(0, 24);
> cipher = hmac + salt + Aes.Ctr.encrypt(_this.text, key, 256);
> They're MACing the key for some reason, then using unauthenticated CTR
> mode without an HMAC. So this is completely vulnerable to someone
> modifying the ciphertext.
> That CTR mode is implemented by this:
> as a nonce combined with a weak JS Math.random(). That's vulnerable to
> some attacks as well.
> Generally, I'd assume that a random crypto project you run across is
> probably not safe.
> On Tue, Jun 18, 2013 at 11:51 AM, Lorenzo Franceschi Bicchierai
> <lorenzofb8 at gmail.com <mailto:lorenzofb8 at gmail.com>> wrote:
> Have you guys seen this?
> I've searched through the archives but didn't see anything. I'm
> wondering how safe this is.
> It has received some small attention on the media before.
> *Lorenzo Franceschi-Bicchierai
> *Mashable <http://www.mashable.com> Junior US & World Reporter
> lorenzo at mashable.com <mailto:lorenzo at mashable.com> |
> lorenzofb8 at gmail.com <mailto:lorenzofb8 at gmail.com>
> #: (+1) 917 257 1382
> Twitter: @lorenzoFB <http://www.twitter.com/lorenzoFB>
> Skype: lorenzofb8
> OTR: lorenzofb at jabber.ccc.de <mailto:lorenzofb at jabber.ccc.de>
> www.lorenzofb.com <http://www.lorenzofb.com>
> Too many emails? Unsubscribe, change to digest, or change password
> by emailing moderator at companys at stanford.edu
> <mailto:companys at stanford.edu> or changing your settings at
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech