|
|
|
|
|
|
by nickbw
5855 days ago
|
|
|
Thank you for the insightful comments, and for taking the time to read the code! I really appreciate it. I've added a pseudo-random component to the nonce, and a MAC to the messages. I certainly agree that you can't rely on code from untrusted servers, but I think doing the encryption in the client with code that is publicly viewable, even if it can be compromised at any time by a malicious server, is the best we can do for web apps unless/until major browser vendors incorporate client-to-client encryption. Right now there is no reliable protection against a compromised server, but I would like to at least see web apps strive to be more accountable. |
|
|