[hahooooo]

The issue is like this.

I load https://webmail.example.com.

I see my email.

My ISP doesn't see my email.

The NSA (or anyone else who can MITM https, such as my workplace, college, etc.) can effectively turn it into http, and see the content.

We need to fix that.

So I write an encryption library in JS, loaded from https://webmail.example.com . It loads the email through an AJAX call from https://webmail.example.com, decrypts it, and displays it.

The only issue is that whoever can MITMed the connection can also modify the JS file to send the key to a C&C server.

So:

"Dumb" ISP can't read #1 mail

"MITM" ISP can read #2 mail

So what's the gain?

The only concern is that it's an active attack vs a passive attack, so no plausible deniability.

But in most MITM scenarios, you don't need plausible deniability.

1. Your workplace computer and the connection is owned by them, so they can do what they want with it.

2. Dictatorships give themselves whatever powers they want

3. The NSA has enough side-channel attacks to exploit.

So in which situation will a "JS" encryption help?

[jnbiche]

> The NSA (or anyone else who can MITM https, such as my workplace, college, etc.) can effectively turn it into http, and see the content.

To be clear, unless NSA has some massive capabilities we haven't dreamed off, properly implemented HTTPS cannot be MITM'ed (via SSL stripping, or other means) by anyone who lacks access to your local machine. Specifically, by properly-implemented SSL, I mean:

1. Serving https only, no http

2. HSTS

3. Certificate pinning

The situation you mention regarding workplace computers is a little different from the NSA, since they have the explicit authority and ability to install root certificates on your local work computer. Without those root certs (like if you use a personal computer at work), they lack the ability to MITM your connection, assuming the above.

[bigiain]

If I'm the NSA, I'd already have stolen Protonmail's HSTS pinned cert's private key (possibly by burning a zero day getting into one of their web servers, possibly by "asking nicely" to some tech employee there for whom I had appropriate leverage).

But yeah - short of nation-state or very high level LEO (who're just piggybacking on their local NSA equivalent), HSTS with pinned certs is as close to "secure" as we have right now.

[ryanlol]

This is why we have HSMs.

It can in fact be "impossible" to steal ones crypto keys.

[bigiain]

Yeah, but "stealing" them isn;t the NSA's only avenue to acquire them. With Lavabit they just said "give us the keys so we can snoop all we want" - I suspect very few of us would be able to resist like Levinson did (as in, shut your company and livelihood down, and hope they don't throw you in jail for doing so). (Fortunately, most of us won't have users with as much heat coming down on them as Snowden, but if you're building _anything_ privacy related you owe it to yourself to consider how far you'd go to protect your users if one of them turned out to be another Snowden...)

[uncletaco]

"stealing" is the only path the NSA can take in the case of ProtonMail, due to their servers being hosted in Switzerland and not within the borders of a nation that has a strong relationship with the US intelligence community.

[bigiain]

I'd bet good money that the NSA can outsource this to their friends/counterparts/lackeys in any of five eyes, nine eyes, and fourteen eyes countries - and through less official channels involving local or flown-in thugs, pretty much everywhere else. They probably can't easily get Huawei's or Baidu's private keys, but I bet there's tens or hundreds of thousands of Protonmail sized companies in China/Russia/everywhere else that they _can_ strongarm the owners or sysadmin staff into handing keys over.

Or maybe I'm just in a way too "the whole world is fucked" mood today...

[chinathrow]

Only if you are sure the HSM isn't rigged from the start.

[deftnerd]

Another thing in the security tool chest is SubResource Integrity. If your JS is hosted on a CD you can put a hash of the expected JavaScript within the HTML script declaration. When the browser downloads it, it'll verify the hash before executing it.

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...