|
|
|
|
|
|
by mlatu
4303 days ago
|
|
|
http://blog.cryptographyengineering.com/2012/12/the-anatomy-... as long as we need to depend on javascript for crypto there will not be a secure way to do such things. im saying this because you can not safely assume the integrity of your crypto system to be intact if you have to download it with the page it's used on. thats about the same as always having to download your ssh client first from the server you are connecting to. someone could tinker with that download and give you something that uses the attacker as a proxy to connect to your server of choice and while you notice nothing, that malware would upload your private key. same thing could happen when you use some sort of crypto implemented in javascript. lets talk about this when someone made it possible to have a website instruct the browser to make a call to a crypto library or some such |
|
|
Please read up on what "nodejs" is before lambasting it with an oft repeated security trope.