Hacker News new | ask | show | jobs
by pdx 3297 days ago
Why do you speak of unencrypted HTTP? Who cares? Only AES-256 encrypted data is sent and it's decoded locally. You could publish it on the front page of the New York Times (if anybody reads that anymore) and be secure, because you are publishing encrypted content.

It's really unclear what your point is here.
2 comments
iancarroll 3297 days ago
Your unencrypted (or just unauthenticated) HTML page might suddenly start sending the password you enter elsewhere...
link
pdx 3297 days ago
Really, how? Because somebody compromised the server? So what? If they did that, all bets are off.
link
dpark 3297 days ago
No, because someone MITMs your insecure channel and serves you a malicious page that steals your password and the unencrypted data.
link
gjjrfcbugxbhf 3297 days ago
The OPs point is very clear. Js encryption has a lot to do to prove itself before it should be trusted with production secrets.

Furthermore weak encryption is worse than no encryption if it encourages dangerous behavior.

I would add that dropping ssl because you are using something like this would be dangerous behavior.

link