[Full-disclosure] JaPCrypt
Gerardo Di Giacomo
gerardo at linux.it
Wed Feb 6 18:05:48 GMT 2008
It's true that with MITM you could "poison" the javascript to steal the
key (cookie stealing style) but I think that it's a reasonable risk due
to the "non-enterprise" environment, in which the suite has been thought
for. Stealing the key requires a targeted attack MITM, in a precise moment.
I think it's better to use JaPCrypt then normal HTTP... and don't forget
that all pages "protected" with JaPCrypt won't be indexed by crawlers.
The "main" problem by now is not massive MITM but massive sniffing, and
with this suite the problem of "mass-sniffing" is avoided.
Regards,
Gerardo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080206/2f5495b4/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.