| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 06 May 2010 10:42:41 -0500 From: Marsh Ray <marsh@...endedsubset.com> To: PsychoBilly <zpamh0l3@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: JavaScript exploits via source code disclosure On 5/6/2010 9:00 AM, PsychoBilly wrote: > http://www.jcryption.org/ A perfect example of what doesn't work. >>From the site: > Normally if you submit a form and you don’t use SSL, your data will be sent in plain text. > But SSL is neither supported by every webhost nor it’s easy to install/apply sometimes. Setting up a secure site is too hard, what to do?! Last I heard, millions of sites had succeeded in setting up SSL. > So I created this plug-in in order that you are able to encrypt your data fast and simple. > jCryption uses the public-key algorithm of RSA for the encryption. > > jCryption at it’s current state is no replacement for SSL, because there is no authentication, Ok, what good is it then? Adversary simply modifies your page in transit to not use the 'jcryption', or to leak him a copy of the session key. This kind of thing will only deter people who don't know any better or people with little motivation to care about your data anyway. Using it is only an admission that you are either incompetent or don't have anything worth the slightest effort to steal. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists