
Raspberry Pi network plan for online free-speech role - simonbrown
http://www.bbc.co.uk/news/technology-17231698
======
Joeboy
Just to kickstart discussion (because it's an important topic)...

Common objection: using js for crypto (like cryptocat) is inherently flawed as
you have to trust the server to send the right js.

Response: Yes, but doing crypto on the client is the only way to get end-to-
end encryption, which is really the only kind of encryption worth a damn.
Without end-to-end encryption, the server _definitely_ knows what you're
saying, whereas with js crypto there's a _possibility_ the server is hacking
your communications, in a way that's at least somewhat detectable. Using js at
least provides a way to get _reasonable_ security, and is potentially a way of
bootstrapping secure client-side encryption.

Is my thinking wrong?

~~~
simonbrown
Well, crypto cat uses SSL anyway. I'm also not sure whether the plan is to use
JS or native crypto.

~~~
Joeboy
Looking at <https://github.com/kaepora/cryptocat/tree/master/js/src> , it
looks like it does its crypto in js. Not sure what the ssl is for - maybe it
makes the handshaking / key exchange more secure or something?

~~~
simonbrown
I mean the raspberry pi thing. The SSL is presumably to stop a MITM switching
the JS for something malicious.

