Search Mailing List Archives
[liberationtech] DNSSEC to the rescue. Was: Snakeoil and suspicious encryption services
vitteaymeric at gmail.com
Tue Jul 22 16:38:23 PDT 2014
Answering to the three last answers in one time.
Le 22/07/2014 20:44, Tony Arcieri a écrit :
> Of course, we're still left with the bootstrapping problem of getting
> an authentic parent page.
So finally you have highlighted the main issue, this is valid for
extensions too, this is why the problem can not be solved, unless you
use different channels to make sure that what you get is correct.
For Peersm, you still insist on the fact that we serve the code over
plaintext http, we are forced to do this because you can not use non
ssl/tls websockets with https, per major browser vendors decision and
the rationale is still unclear but as it is today https will not secure
So, for the umpteenth time, the solution for Peersm is to get the code
by any available means if you don't trust peersm site, check it and run
it locally, you can not do this with extensions, this defeats any
attempts to modify it including from peersm site itself.
And checking what is doing a 400 kB js code is trivial for any serious
js dev, starting by deminifying it and just hacking into it.
DNSSEC & co, the solution is more easy, you just have to be able to make
sure that the certificate used by the site is the correct one, certified
again by other parties on different channels, but you can not automate
this, that's why I insisted with WebCrypto to get the "expose ssl/tls
But if the code loading issue has no real solution today, I still think
that for js the code itself could detect that something was modified,
whether it's too late or not when it's detected depends on the app, that
would not be the case for Peersm.
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
More information about the liberationtech