Hacker News new | ask | show | jobs
by thirsteh 1837 days ago
This is for signing a document with a "hand" signature, not cryptographically signing it with a cryptographic signature. Besides, if you don't trust in-browser JS then you shouldn't trust any site on the web, e.g. online banking.

That this is running completely locally without any software to install is pretty useful and cool. Your criticism isn't great (IMO borders on concern-trolling) because the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time.
2 comments
yakubin 1837 days ago
> the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time.

No. The alternative is using a desktop application, which offers a superior UX in every way.

I don't get what's so bad about installing applications. It's painless. Browsing the web on the other hand is painful.

link
maqp 1835 days ago
"This is for signing a document with a "hand" signature, not cryptographically signing it with a cryptographic signature. "

Ah very well, then it's not as important.

"Besides, if you don't trust in-browser JS then you shouldn't trust any site on the web, e.g. online banking."

Online banking is different from the PoV of expectation of privacy. With online banking I'm managing the account the bank has plaintext access to by definition. Had this been about digitally signing a document, the vendor would be an untrustworthy third party (the signer and the verifier being 1st and 2nd parties).

"That this is running completely locally without any software to install is pretty useful and cool."

No it's running in-browser, not natively. It's not enough it runs locally, it needs to run locally the same way, every day, without requiring 365.25 code-audits per year, per user.

"Your criticism isn't great (IMO borders on concern-trolling) because the alternative is something where the docs go to some centralized SaaS that store everything including your signature for an unknown period of time."

No the alternative is a native client that does this offline, where you can inspect the source, download and compile it (hopefully reproducibly), and where you know you can trust the program acts the same way during runtime, every time. That's not true for JS applications. Since this isn't about digital signatures, I admit I was wrong in that respect. However, wrt security related programs, in-browser crypto isn't safe as the sources showed.

link