Dailydave mailing list archives
Re: entropicdata.com ?
From: Dave Aitel <dave.aitel () gmail com>
Date: Tue, 26 May 2009 22:57:40 -0400
Sure so one perspective is that anything cryptographic has to get done on the server. Which seems perfectly valid, but in some cases people don't want to do it that way. Maybe they want to sign something, without having to upload it to the server, say. Or maybe they just don't want to burden the server with tons of crypto. There's lots of good reasons to do crypto without reinventing SSL. And, of course, the cross domain stuff coming out makes this more likely, I assume. -dave
Hold on here. You're running Javascript RSA in your browser. Where did that Javascript come from? Right, you have to load it over SSL to be sure the Javascript is unmodified. But if you're already using SSL, any crypto you implement browser-side can only be less reviewed and more likely to explode, in addition to requiring SSL anyway. Loading your random data over HTTP is a bad idea too. DSA reveals your private key to an attacker if even a few bits of the random nonce are predictable: http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/ http://rdist.root.org/2009/05/20/amazon-web-services-signature-vulnerability/ Please stop Web 2.0 from reimplementing crypto, badly. Help computer! -- Nate _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- entropicdata.com ? Dave Aitel (May 19)
- Re: entropicdata.com ? kowsik (May 20)
- Re: entropicdata.com ? Jon Oberheide (May 20)
- Re: entropicdata.com ? Jim Manico (May 20)
- Re: entropicdata.com ? Michal Zalewski (May 20)
- Re: entropicdata.com ? Arshan Dabirsiaghi (May 20)
- Re: entropicdata.com ? Nate Lawson (May 22)
- Re: entropicdata.com ? Dave Aitel (May 26)
- Re: entropicdata.com ? Nate Lawson (May 27)
- Re: entropicdata.com ? Dave Aitel (May 26)