From: Jim Manico (jimmanico.net)
Date: Wed May 20 2009 - 01:17:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> So they implement RSA/twofish/etc in Javascript and run that in the browser

But can't we stop here? Once a solution depends on client-side, especially browser-based client-side encryption, aren't you dead in the water (ie: substancial risk) from the design itself?

- Jim

  ----- Original Message -----
  From: Dave Aitel
  To: dailydavelists.immunitysec.com
  Sent: Tuesday, May 19, 2009 1:44 PM
  Subject: [Dailydave] entropicdata.com ?

  Lots of people are doing things in web services (AJAX, etc) that require real crypto. So they implement RSA/twofish/etc in Javascript and run that in the browser. But this requires a way to generate a key which requires some entropy. There's no "feed of random numbers" that I know of on the web that you can use to seed your crypto, probably because of cross site restrictions. But it seems like either google gears, HTML5, or one of the other new extensions should offer it as a built-in API.

  Likewise if they allowed you to get data from other sites (which the new Firefox does sometimes?) then you could set up a web service for people to use to get their entropic data from (over SSL of course :>).

  What else are people using for this? It seems to be a bit of a theme here at SyScan (re: David Thiel's RIA presentation). Is there an API in Silverlight/Flash/etc that lets you get entropy and then give it back to the browser context?

  -dave

------------------------------------------------------------------------------

  _______________________________________________
  Dailydave mailing list
  Dailydavelists.immunitysec.com
  http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]