On Sun, Apr 08, 2012 at 11:55:25AM +0800, John McCabe-Dansted wrote: > > LastPass may be secure today, but it is trivially easy for LastPass > > (or a hypothetical attacker who gains access to LastPass's > > infrastructure) to compromise that security simply by replacing the > > javascript code which does the client side encryption and decryption > > with some code that also passes the encryption key back up to the > > server (or wherever). > > Hmm, in principle Firefox could support native encryption, where you > add the key to Firefox directly before even visiting the website. > Being a bit careful about frames and/or javascript should give you a > secure solution. The major issue then is, if security matters to you, > why do you want to access these files from the web? Are you sitting > down on an untrusted computer and just blindy entering your encryption > key? > > Still, adding support for securely encrypted files as a cross browser > standard seems like a fundamentally cool thing to do.
When Mozilla first came out, they had some built in encryption capability. The NSA folks forced them to remove it and even the hooks. I kept my own copy patched for awhile I just lacked the time. And then Zimmerman and his pgp pretty much broke the back of those efforts to keep strong encryption out of the hands of real people and the capabilities gradually returned. Do not ever trust these people. If you have a company that is US based (some other countries are probably even worse), someone will show up (or less melodramatically, you will receive a very official letter) and tell you who you are going to co-operate with them. And that you really do not have a choice. A friend of mine who had his own small ISP for a few customers had the FBI show up at his door to tell him that he had to supply them with a link for for monitoring his dial up connections. He chose to remove the dialups entirely and they went away. Some ISP's here in the UK at one point got told they had to supply a leased line to the police at their own expense. So make no mistake. Point to point encryption with locally held secure keys it the *ONLY* choice if you actually want privacy and not pretend privacy. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
