|
|
|
|
|
|
by nzadrozny
4306 days ago
|
|
|
Actually, I was recently pointed at Joyent's node-http-signature[1], which is pretty clever. It can sign an HTTP request using one's SSH keys. Handy for a CLI client for a HTTP API. I've done a couple of HTTP auth schemes for my dayjob and am thinking of using something like this for my next. 1. https://github.com/joyent/node-http-signature/blob/master/ht... |
|
|
as long as we need to depend on javascript for crypto there will not be a secure way to do such things. im saying this because you can not safely assume the integrity of your crypto system to be intact if you have to download it with the page it's used on. thats about the same as always having to download your ssh client first from the server you are connecting to. someone could tinker with that download and give you something that uses the attacker as a proxy to connect to your server of choice and while you notice nothing, that malware would upload your private key. same thing could happen when you use some sort of crypto implemented in javascript.
lets talk about this when someone made it possible to have a website instruct the browser to make a call to a crypto library or some such