You obviously don't know what you are talking about or just did not get
what I explained or just do not understand http versus https or the
contrary, or just do not understand the web, what's on client side
(browser) or on server side, or don't get that your extension can be
mitmed too including its signature.
So unfortunately I have to stop this discussion right here with you, not
to waste the time of serious people on this list, if you want to restart
with another tone, then please go, but first checkout what is writen on
Peersm site, everything is explained, including your focus on elementary
mitm issue, your arguments and judgement are so basic that I am
wondering why I am answering it, you should do some reading, and if you
can trivially defeat Peersm, then just show us how
Le 21/07/2014 22:53, Tony Arcieri a écrit :
On Mon, Jul 21, 2014 at 12:59 PM, Aymeric Vitte
<vitteayme...@gmail.com <mailto:vitteayme...@gmail.com>> wrote:
Please read again what I have written, your answer just extracts
really basic parts out of the context and does not take into
account the whole picture that I have explained, I already read
the link you provided some years ago, I recall it as trivial
and/or too old statements unfortunately having still enough
visibility on the web to disinform people.
I read what you wrote. You're wrong. You are very, very wrong.
The code loading is an unsolvable issue unless you do what I have
writen.
Loading JavaScript of any kind over plaintext HTTP is a bad idea.
Loading JavaScript implementing cryptography is a sign you have no
fucking clue what you're doing. It's the equivalent of a giant "DANGER
WILL ROBINSON: THIS CODE IS UNSAFE" sign.
Extensions, plug-in, add-on can not secure you more than a js code
that you can not hide
Browser extensions are cryptographically signed. Plaintext HTTP is
trivially rewritten by an attacker. Systems like Peersm are
horrendously vulnerable to an active attacker.
And at the end, what I am talking about is a standalone js app
inside browsers, this is highly doubtful that someone can question
the security of this, I would like to see it (but then please read
exactly what I wrote)
If someone has a "privileged network position" (i.e. your barista),
they can catastrophically compromise the alleged "security" of such a
system via an incredibly trivial MitM attack.
This same attack cannot be performed against cryptographically signed
browser extensions. Even adding HTTPS to your HTML/JS site would be a
step up.
This app is poorly implemented and dangerous and it would be best for
you to either find some way to serve it over HTTPS or delete it from
the Internet.
--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
change to digest, or change password by emailing moderator at
compa...@stanford.edu.
