>From the main page, it looks like it is using the server's public key to encrypt the random session key which only the server can decrypt using its private key, then uses the session key with AES for the duration of the session.
So it doesn't sound like anything is sent over in the clear. However you are correct in that it doesn't have as many safe guards as SSL in that you don't have any independent verification that the server you are talking to really is the legitimate server. All you know is that your communications with this unverified server are reasonably secure. Kind of similar to the same security we have when people generate their own unregistered SSL certs and tell people to just accept the security warning the browser pops up (encryption but not verification). On Monday, 30 April 2012 13:53:51 UTC-5, Michael W wrote: > > Ew. I think this project is harmful because it offers a false sense of > security. How is the client-side encryption javascript sent to the browser > in the first place? If it's not already sent over SSL, it can be > intercepted and modified by attackers to send a copy of the cleartext to > the attacker, for example. > > The reason why SSL is secure is because it's already baked into the > browser and attackers can't tamper with that machinery. This project > removes that. > > On Saturday, April 28, 2012 2:32:56 AM UTC-6, shawn wilson wrote: >> >> Anyone seen this? >> http://assl.sullof.com/assl/ >> >> Is there any work to get this working with node? Any interest? >> > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
