Hacker News new | ask | show | jobs
by TomasSedovic 4898 days ago
They seem to be using TLS, but yeah the users have to trust Google (which hosts their jQuery js), Mozilla (which hosts their Persona js) and of course the admins of yithlibrary.herokuapp.com itself.

If any of these gets compromised, the crackers would be able to retrieve the master password of any user entering it afterwards.
1 comments
darklajid 4898 days ago
Wouldn't it be possible to host it on your own server, including the 3rd party files?

And wouldn't TLS in this case protect the full session?

You still have to trust the source, but - it's on your machine. Go read it if you want?

link
TomasSedovic 4898 days ago
It would and they should do it. But the whole thing would still be fundamentally insecure. Read the link submitted by raphinou:

http://www.matasano.com/articles/javascript-cryptography/

link