Full Disclosure: Re: JavaScript exploits via source code disclosure

[Marsh Ray <marsh () extendedsubset com>]

On 5/6/2010 9:00 AM, PsychoBilly wrote:
> http://www.jcryption.org/
A perfect example of what doesn't work.

> From the site:
> Normally if you submit a form and you don’t use SSL, your data will be sent in plain text.
> But SSL is neither supported by every webhost nor it’s easy to install/apply sometimes.
Setting up a secure site is too hard, what to do?! Last I heard,
millions of sites had succeeded in setting up SSL.

> So I created this plug-in in order that you are able to encrypt your data fast and simple.
> jCryption uses the public-key algorithm of RSA for the encryption.
>
> jCryption at it’s current state is no replacement for SSL, because there is no authentication,
Ok, what good is it then?

Adversary simply modifies your page in transit to not use the
'jcryption', or to leak him a copy of the session key.

This kind of thing will only deter people who don't know any better or
people with little motivation to care about your data anyway. Using it
is only an admission that you are either incompetent or don't have
anything worth the slightest effort to steal.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/