Let's try to get bit deeper in the comparison of the effective
vulnerability exposure window of a chrome browser extensions vs. native
application.
My feeling is that chrome browser extensions are more secure than native
applications.
Il 1/22/14, 9:53 AM, Tony Arcieri ha scritto:
It's true
Operating systems have decades of research into privilege separation
between users and processes. Browsers are a nice interface for viewing
websites. If you want signed executables and cross-platform support,
you can use e.g., Java Web Start (which is what Android apps
essentially boil down to).
Comments inline.
Edwin
On Thu, Jan 23, 2014 at 3:05 AM, Fabio Pietrosanti (naif)
li...@infosecurity.ch wrote:
Let's try to get bit deeper in the comparison of the effective
vulnerability exposure window of a chrome browser extensions vs. native
application.
My feeling is that chrome
Dunno, WebRTC is so prone to MITM.
I'd rather have something secure.
On Tue, Jan 21, 2014 at 09:01:49PM -0500, Lucas Dixon wrote:
What kind of MITM attack are you thinking of? WebRTC doesn't specify a key
authentication protocol, so not sure WebRTC is anything specific enough to
The
On Thu, Jan 23, 2014 at 11:52 AM, carlo von lynX
l...@time.to.get.psyced.org wrote:
say it not secure. WebRTC is compatible with ZRTP key-authentication
which
builds in a video-based auth scheme and should stop MITM attacks (last
time
You can't diffie-hellman yourself out of a MITM. If
On Thu, Jan 23, 2014 at 11:58:28AM -0800, Tony Arcieri wrote:
ZRTP authentication works by negotiating what's called a short
authentication string between peers. If there's no MitM, both sides will
see the same string.
To authenticate, you start a voice/video call. You will see the person
One of the interesting aspects of WebRTC is that it has encryption baked right
into it; there's actually no way to send unencrypted media using a WebRTC
implementation. The developing specifications currently use DTLS-SRTP
keying[1], and that's what both Chrome and Firefox implement.”
All WebRTC needs to be as secure as a service like ostel.me is a browser
extension implementing ZRTP authentication between you and the callee. This
approach does not rely on PKI and does not need a server in between caller and
callee.
Also the ZRTP authentication string some of you are
I know EKR and can get him on board if people have a need (well, I can ask but
I’m not sure what his time is like).
From: Joseph Lorenzo Hall Joseph Lorenzo Hall
Reply: liberationtech liberationtech@lists.stanford.edu
Date: January 23, 2014 at 1:27:55 PM
To: liberationtech@lists.stanford.edu
On Thu, Jan 23, 2014 at 3:05 AM, Fabio Pietrosanti (naif)
li...@infosecurity.ch wrote:
Browser extension could be hacked if they are unsafe, trough the use of
XSS-like attack techniques, by triggering an external payload into it
(for example from a website visited by the user).
...but as
10 matches
Mail list logo