Icon View Thread

The following is the text of the current message along with any replies.
Messages 11 to 11 of 11 total
Thread How is security handled in EWB2 ?
Thu, Nov 17 2016 8:46 AMPermanent Link

erickengelke

Avatar

Raul wrote:

On 11/16/2016 6:35 PM, erickengelke wrote:
>> So... in JavaScript we kinda say jiberrish := encrypt( mypassword ), then we send that jibberish out the network.  Even if you look through the computers transmit logs, or cache, or browser logs, jibberish is unreadable.  You do not have the necessary secret to decrypt jibberish. Even if you know the formula, it doesn't help you solve the problem, it's not like ROT-13 where there is a reversible trick, it's just plain hard math.

>This is the key question right here - how does your JS app get access to
the server cert ?

Absolutely.  Key distribution is the hardest part of public key cryptography.

The answer is currently one of two options: we can place the public key into the EWB source code - which is vulnerable to someone deep hacking EWB obfuscated code, or for less secure, we can negotiate it over https which is vulnerable to MITM attacks.  

It is true that with JavaScript you can never have perfect security.  And while those are weaknesses, it's a matter of degree.  Even with the full algorithms available in the public eye, both are a lot harder to solve (days of effort) than ROT-13 or Base64 which a hacker can spot in 10 seconds.

Erick
« Previous PagePage 2 of 2
Jump to Page:  1 2
Image