That’s a big assumption compared with doing the sensible thing, which is to store your cryptography software on your own machine.ġ) Their programmers to get the code right (this isn’t a big one, since the code is available for public review).Ģ) Their server to always deliver the same code (I’d say this requires a similar level of trust to storing your secrets unencrypted on a third party’s server and trusting them not to read them).ģ) The intermediate network not to modify traffic from their server to you (oops).ĩ:13 mitm is when each end thinks it’s talking to the other end, when in fact they are both talking to a machine in between the two. But even if you did that, and even if it were delivered over SSL, you’d still have to trust the Spynote server to send you the same script every time. Spynote says it is “open source”, suggesting that you might verify the code yourself for correctness rather than trusting Spynote to get it right. You cannot rely for security on code delivered over an insecure channel and then not somehow verified. ![]() This is unlikely (not impossible) on your home or office network, but if you ever use public Wifi you should care a lot about end-to-end encryption. Otherwise some web proxy or other mitm could serve you a modified javascript which encrypts using an attacker’s key instead of the one you enter, and the attacker could decrypt your message at his leisure. To be secure you would have to first verify or trust that the code is good, and then manually verify each time you use it that you really have downloaded the correct javascript. But the javascript is delivered over http. It appears to encrypt using javascript on the client, which is a good start. ![]() ![]() I assume that’s a joke, but just in case…Īt a brief glance, Spynote doesn’t look very useful to me.
0 Comments
Leave a Reply. |