Hacker News new | comments | show | ask | jobs | submit login

The main problem with SRP being mentioned at all is that it has no meaningful security value in web application context. It makes sense when client does not entirely trust server, which makes no sense when you deliver client as bunch of .js files from the same "untrusted" server.

Very true, however, most users are willing to download such things as native programs (e.g. installing web browsers) from unauthenticated sources over unencrypted connections. If you are in a position to inject .js resources, then the user's security would be compromised anyway.

EDIT: SRP is going to be integrated into TLS soon anyway, so we might as well hold our breath for that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact