Search Mailing List Archives
[liberationtech] DNSSEC to the rescue. Was: Snakeoil and suspicious encryption services
vitteaymeric at gmail.com
Wed Jul 23 03:34:12 PDT 2014
So let's reexplain: those that do not trust the current mechanism of
Peersm to load the code (which includes already some protections) and
fear a mitm attack can get it through other channels and run it inside
Other channels means: other sources that provide the code with its hash
(hopefully the same one!!), Peersm code can not fit in tweets but easily
fits in websites, links, torrents, anonymous networks, potentially you
could just use Peersm itself to check it (upload the code with Peersm
app from your disk to your browser, check the hash, decrypt/encrypt it)
Asking every user to check the whole code would be ridiculous, among the
sources someone skilled enough might have done the job and can certify
that the related code is OK for other users.
"Skilled enough" --> a serious js dev, unlike what you seem to state,
it's really easy to see what a js code is doing whatever obfuscation
means or strange thing the issuer have used/put in it
Now you seem to mean that 400 kB is big for Peersm, you probably don't
realize all what it is doing (Peersm protocol, Tor protocol, SSL/TLS,
certificates, crypto, RSA, DH, etc) for a so small code compared to
other technos doing the same with dozens of MB at minimum.
Le 23/07/2014 02:20, Tony Arcieri a écrit :
> On Tue, Jul 22, 2014 at 4:38 PM, Aymeric Vitte <vitteaymeric at gmail.com
> <mailto:vitteaymeric at gmail.com>> wrote:
> And checking what is doing a 400 kB js code is trivial for any
> serious js dev
> This assertion is completely ludicrous, especially when you're talking
> about trying to find a potentially stealthy malicious payload in 400kB
> obfuscation techniques which can't be easily undone through simple
> static analysis.
> by manual review and searching for backdoors is a complete nonstarter
> when it comes to practical solutions to detecting compromise.
> TweetNaCl, by comparison, fits in 100 tweets.
> Tony Arcieri
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech