Re: entropicdata.com ?

["Jim Manico" <jim () manico net>]

> So they implement RSA/twofish/etc in Javascript and run that in the browser

But can't we stop here? Once a solution depends on client-side, especially browser-based client-side encryption, aren't 
you dead in the water (ie: substancial risk) from the design itself?

- Jim

  ----- Original Message ----- 
  From: Dave Aitel 
  To: dailydave () lists immunitysec com 
  Sent: Tuesday, May 19, 2009 1:44 PM
  Subject: [Dailydave] entropicdata.com ?


  Lots of people are doing things in web services (AJAX, etc) that require real crypto. So they implement 
RSA/twofish/etc in Javascript and run that in the browser. But this requires a way to generate a key which requires 
some entropy. There's no "feed of random numbers" that I know of on the web that you can use to seed your crypto, 
probably because of cross site restrictions. But it seems like either google gears, HTML5, or one of the other new 
extensions should offer it as a built-in API.

  Likewise if they allowed you to get data from other sites (which the new Firefox does sometimes?) then you could set 
up a web service for people to use to get their entropic data from (over SSL of course :>).

  What else are people using for this? It seems to be a bit of a theme here at SyScan (re: David Thiel's RIA 
presentation). Is there an API in Silverlight/Flash/etc that lets you get entropy and then give it back to the browser 
context?

  -dave




------------------------------------------------------------------------------


  _______________________________________________
  Dailydave mailing list
  Dailydave () lists immunitysec com
  http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave