Full Disclosure mailing list archives
Re: JavaScript exploits via source code disclosure
From: Marsh Ray <marsh () extendedsubset com>
Date: Thu, 06 May 2010 10:42:41 -0500
On 5/6/2010 9:00 AM, PsychoBilly wrote:
http://www.jcryption.org/
A perfect example of what doesn't work.
From the site: Normally if you submit a form and you don’t use SSL, your data will be sent in plain text. But SSL is neither supported by every webhost nor it’s easy to install/apply sometimes.
Setting up a secure site is too hard, what to do?! Last I heard, millions of sites had succeeded in setting up SSL.
So I created this plug-in in order that you are able to encrypt your data fast and simple. jCryption uses the public-key algorithm of RSA for the encryption. jCryption at it’s current state is no replacement for SSL, because there is no authentication,
Ok, what good is it then? Adversary simply modifies your page in transit to not use the 'jcryption', or to leak him a copy of the session key. This kind of thing will only deter people who don't know any better or people with little motivation to care about your data anyway. Using it is only an admission that you are either incompetent or don't have anything worth the slightest effort to steal. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JavaScript exploits via source code disclosure Ed Carp (May 05)
- Re: JavaScript exploits via source code disclosure Marc Olive (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- <Possible follow-ups>
- Re: JavaScript exploits via source code disclosure Ed Carp (May 06)
- Re: JavaScript exploits via source code disclosure Valdis . Kletnieks (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure PsychoBilly (May 06)
- Re: JavaScript exploits via source code disclosure Marsh Ray (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure Nick FitzGerald (May 06)
- Re: JavaScript exploits via source code disclosure Christian Sciberras (May 06)
- Re: JavaScript exploits via source code disclosure T Biehn (May 06)