background preloader

Web security

Facebook Twitter

Cryp.sr - a minimal host-proof cryptographic textpad. In this post I describe and launch cryp.sr a small experimental host-proof application.

cryp.sr - a minimal host-proof cryptographic textpad

At the moment, it provides a simple cryptographic pad for secure storage of text - stay tuned for more services soon. If the post below looks tldr, you should just head over to the cryp.sr FAQ. First, a quick recap. Since my last post, I've hit on a useful explanatory shortcut, by drawing an analogy between host-proof apps and protocol design: host-proof apps are to traditional apps as ssh is to telnet. When we design a secure protocol, we think of communication over an untrusted channel between two endpoints. My last post argued that two of the most prominent host-proof applications - Clipperz and Passpack had shortcomings that meant they were not "host-proof" in any practical sense.

After my previous post, I had some ideas relating to host-proof apps that I wanted to try out. The server-side is dead simple - a big hash table linking pad names with blobs of encrypted data. The upshot is this. Cryptography - How can PrivateSky not see your data. This is Brian Spector; I'm the CEO of CertiVox.

cryptography - How can PrivateSky not see your data

Thanks for starting this discussion on PrivateSky, our secure information exchange service. I’ll do my best to answer the intelligent comments and criticisms on this thread. Second, I’ll try my best to walk the reader through step by step on how our integrated key management and two factor authentication works. I invite the folks on this thread who haven’t read the white paper to please do so. Everything I am writing has already been written in detail and is publicly available in that document on our website.

First, let’s refute the statement that we are "lying". To that end, that’s also why we open source our MIRACL SDK, freely available off of our website. To correct Lucas’ statement here: Probably the simple answer is: it's not. That’s not correct. Of the two factors, the first factor is a mathematical token stored in your browser, locked to the domain of our authentication service, the second factor being your pin. Thanks for clarifying. Security - Matasano Web Security Assessments for Enterprises. What do you mean, "Javascript cryptography"?

Security - Matasano Web Security Assessments for Enterprises

We mean attempts to implement security features in browsers using cryptographic algoritms implemented in whole or in part in Javascript. You may now be asking yourself, "What about Node.js? What about non-browser Javascript? ". Non-browser Javascript cryptography is perilous, but not doomed. For the rest of this document, we're referring to browser Javascript when we discuss Javascript cryptography. Why does browser cryptography matter? The web hosts most of the world's new crypto functionality. What are some examples of "doomed" browser cryptography? You have a web application. Or, you have a different application, where users edit private notes stored on a server. What's wrong with these examples? They will both fail to secure users. Really? For several reasons, including the following: What's the "chicken-egg problem" with delivering Javascript cryptography?

That attack sounds complicated! Second, the difficulty of an attack is irrelevant.