Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A secure environment would require a vetted browser and no other hostile extensions. That's certainly possible, so Scramble does have a use.


I see. So, if I set up an intricate browser clean-room environment, and I assume that the Javascript verification system you come up with actually works, I can get some of the benefit of simply installing GPG and using POP mail.


You'd still have to vet your GPG install & mail client code. Also, it's not difficult to fork the code to create a client that doesn't use the browser at all. It just hasn't happened yet.

How do you know which public key belongs to the address? Key servers? Web-of-trust? Look it up on their homepage?

Scramble has an address -> pubkey resolution system which balances security with usability.

At least with Scramble you can create a secure USB stick to boot from with all of that preconfigured. Any solution that uses bare GPG still has severe usability problems.

http://www.gaudior.net/alma/johnny.pdf


"Balances security with usability" is here literally a euphemism for "trades security for usability".


Verifying the code on your system is something that can be easily done and easily verified the next time you use it. Its your system after all.

I salute what you are trying to do, but you have to understand that the Js browser method, as it stands today, is a dead end.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: