lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 06 May 2010 10:42:41 -0500
From: Marsh Ray <>
To: PsychoBilly <>
Subject: Re: JavaScript exploits via source code disclosure

On 5/6/2010 9:00 AM, PsychoBilly wrote:

A perfect example of what doesn't work.

>>From the site:
> Normally if you submit a form and you don’t use SSL, your data will be sent in plain text.
> But SSL is neither supported by every webhost nor it’s easy to install/apply sometimes.

Setting up a secure site is too hard, what to do?! Last I heard,
millions of sites had succeeded in setting up SSL.

> So I created this plug-in in order that you are able to encrypt your data fast and simple.
> jCryption uses the public-key algorithm of RSA for the encryption.
> jCryption at it’s current state is no replacement for SSL, because there is no authentication,

Ok, what good is it then?

Adversary simply modifies your page in transit to not use the
'jcryption', or to leak him a copy of the session key.

This kind of thing will only deter people who don't know any better or
people with little motivation to care about your data anyway. Using it
is only an admission that you are either incompetent or don't have
anything worth the slightest effort to steal.

- Marsh

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists