@cpu @0xabad1dea what they're trying to do is a conceptual mismatch with a web browser: http://tonyarcieri.com/whats-wrong-with-webcrypto …
@0xabad1dea @cpu even a browser extension would've been a more secure starting point. They chose the most insecure route possible to start
-
-
@bascule@0xabad1dea@cpu Which is at least secure until your browser maker subverts you, but then you're back to "On trusting trust" -
@sleevi_@0xabad1dea@cpu or if there are vulnerabilities in the extension implementation:http://www.slideshare.net/kkotowicz/im-in-ur-browser-pwning-your-stuff-attacking-with-google-chrome-extensions … -
@bascule@0xabad1dea@cpu Sure, but that's the same as native code not enabling ASLR, DEP, or any of the other ways native can fail -
@sleevi_@0xabad1dea@cpu except your browser is constantly *executing* untrusted code from the Internet. For browsers, RCE is a given
End of conversation
New conversation -
-
-
@bascule@0xabad1dea@cpu Ideally, by removing the friction to do crypto in an extension, people will actually *make an extension*.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@bascule@0xabad1dea@cpu Exactly this. Dear God, this is everything I want to avoid with Web Crypto.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.