This repository has been archived by the owner on Aug 28, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
a67bd70
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see what matasano or nccgroup are getting at, but... there is a use-case for javascript cryptography; specificially: a securely-delivered polyfill client for decrypting things that the server doesn't have plaintext for. Put another way, it's good for tunnelling pgp communications through a tls connection, to a browser that doesn't have pgp support built in. One can then trust that the javascript arrives untampered; one can't trust that the plaintext of what's in pgp won't be harmful, if its treated as javascript itself --- which means: you shouldn't insert unescaped decrypted pgp into the client browser's DOM.