[Security] End-to-end encryption with JavaScript client

Jonathan Dickinson jonathanD at k2.com
Mon Sep 1 09:30:39 CDT 2008


I think I get what he is saying. Your Javascript may be cached by your browser, which would open it up to tampering locally.

The JS over HTTP really depends on browser being 'proper'. They are supposed to warn you if ANYTHING downloaded is not over HTTPS. Images, JavaScript et al.

> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Bartosz Malkowski
> Sent: Sunday, August 31, 2008 7:30 AM
> To: XMPP Security
> Subject: Re: [Security] End-to-end encryption with JavaScript client
>
> Dirk Meyer pisze:
> > IF you have the script on your PC and not from a server. It makes no
> > sense to talk about e2e security when you receive your XMPP client
> > from a server just before you use it. Even better: most Javascript
> > files are send over HTTP, not HTTPS.
>
> I trust MY server. I trust files I received from My server.
> Communication Me<->MyServer<->He is secured in my opinion. But
> Me<->MyServer<->HisServer<->He isn't (I don't trust administrator of
> HisServer).
>
> But maybe You're right -- it makes no sense...
>
> --
> Bartosz Małkowski
> JID: bmalkow at malkowscy.net


More information about the Security mailing list