Re: entropicdata.com ?

[Dave Aitel <dave.aitel () gmail com>]

Sure so one perspective is that anything cryptographic has to get done
on the server. Which seems perfectly valid, but in some cases people
don't want to do it that way.

Maybe they want to sign something, without having to upload it to the
server, say. Or maybe they just don't want to burden the server with
tons of crypto. There's lots of good reasons to do crypto without
reinventing SSL.

And, of course, the cross domain stuff coming out makes this more
likely, I assume.

-dave


> Hold on here. You're running Javascript RSA in your browser. Where did
> that Javascript come from? Right, you have to load it over SSL to be
> sure the Javascript is unmodified. But if you're already using SSL, any
> crypto you implement browser-side can only be less reviewed and more
> likely to explode, in addition to requiring SSL anyway.
>
> Loading your random data over HTTP is a bad idea too. DSA reveals your
> private key to an attacker if even a few bits of the random nonce are
> predictable:
> http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-was/
> http://rdist.root.org/2009/05/20/amazon-web-services-signature-vulnerability/
>
> Please stop Web 2.0 from reimplementing crypto, badly. Help computer!
>
> --
> Nate
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave