[wwwtyro]

Isn't it fair to say, though, that all crypto is broken to some degree, and that javascript crypto lies somewhere on that that continuum? Surely AES with a 256 bit key that you've downloaded to your browser and can inspect is better than rot13?

[lucian1900]

No, it's not fair to say that at all. The website can MITM you at any time, even without changing the crypto code it sends you.

Native crypto clients don't have this particular vulnerability.

[wwwtyro]

> The website can MITM you at any time, even without changing the crypto code it sends you.

I am not following you. If they send you the code, can't you inspect it? And if you vet it, where's the concern for the MITM attack? You already have the code.

> Native crypto clients don't have this particular vulnerability.

Isn't it exactly the same? You have to download the code at some point.

[lucian1900]

The website or any of the domains it includes JS from can at any time inject some JS into your page, which could maybe replace AES with Base64, or anything else it wished to do.

Native crypto clients don't arbitrarily download code from several domains every time you turn on your app.

[lucian1900]

And I forgot to add, there's no way you can protect against other side-channel attacks like timing attacks. JS as it is today makes it impossible.

[wwwtyro]

What keeps JS from protecting against timing attacks?

Even so, I would argue that it's fair to say that this pushes it along a continuum towards less secure, not that it is "broken".

[wwwtyro]

Yeah, but you have the code. You could see if they were doing that.