Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/SteveBellovin/statuses/114277213870286293">Steve Bellovin (stevebellovin@infosec.exchange)'s status on Friday, 04-Apr-2025 11:15:27 JST</a><a href="https://infosec.exchange/@SteveBellovin" title="stevebellovin@infosec.exchange"><img src="https://gnusocial.jp/avatar/297340-48-20241117214354.webp" width="48" height="48" alt="Steve Bellovin" style="position: absolute; left: 0; top: 0;">Steve Bellovin</a><div><a href="https://mastodon.social/@arstechnica/114276108286559267" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://mastodon.social/@arstechnica">@arstechnica</a> There's another problem here. If the encryption is being done client-side by *any* browser, it's being done by JavaScript—and who knows what the JavaScript is doing? I call this the trust-binding problem. When you download software or an update to it, you're making your decision to trust the vendor at that point. With JavaScript encryption and decryption, you're making that decision every time you load the page. This is a very different concept, and one that isn't make clear to users. (In theory, there could be browser extensions to do the encryption and decryption, but that's not easy for users, and there are many different browsers out there, with very different policies on extensions.)</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4842365#notice-9483810">In conversation</a><time datetime="2025-04-04T11:15:27+09:00" title="Friday, 04-Apr-2025 11:15:27 JST">about 6 days ago</time> <span>from <span><a href="https://infosec.exchange/@SteveBellovin/114277213870286293" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@SteveBellovin/114277213870286293">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Steve Bellovin (stevebellovin@infosec.exchange)'s status on Friday, 04-Apr-2025 11:15:27 JSTSteve Bellovin
in reply to
- Ars Technica
@arstechnica There's another problem here. If the encryption is being done client-side by *any* browser, it's being done by JavaScript—and who knows what the JavaScript is doing? I call this the trust-binding problem. When you download software or an update to it, you're making your decision to trust the vendor at that point. With JavaScript encryption and decryption, you're making that decision every time you load the page. This is a very different concept, and one that isn't make clear to users. (In theory, there could be browser extensions to do the encryption and decryption, but that's not easy for users, and there are many different browsers out there, with very different policies on extensions.)
In conversationabout 6 days ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice