Yes, presumably this danger could be mitigated through a combination of code inspection and sandboxing. But, one of Nanashi’s stated motivations for developing this was that “I had yet to find an easy way to do this that didn’t involve downloading command-line based software”. I doubt that anyone who is adverse to running a command-line program would be very excited about inspecting a javascript application for security vulnerabilities and/or sandboxing it each time he/she wants to sign a message.
As much as I dislike blindly following rules in most cases, I think that ChristianKI is correct that any security-related web application ought to be secured via SSL.
I think what I could have been more clear about was the use case here: this tool in its current form is sort of “pre-Alpha”. Previously the script was just sitting locally on my computer and I thought it could be useful to others. If I ever try to deploy this on any sort of larger scale, absolutely it will be done on an SSL server. But for right now, it’s just being shared amongst a few friends and the LW community.
If it turns out that people are using the tool frequently, I’ll probably go ahead and pay to upgrade my hosting plan to SSL. But for something that’s a free tool not meant for wide distribution, which takes about 7 seconds to right click and hit “Save As”, I just didn’t see it as necessary just yet.
Understood. Obtaining an SSL cert is a hassle (and an expense if you obtain it from a cert authority) that may not be warranted for a pre-alpha release. As long as your users use discretion before signing using their “real” private keys, I don’t see any issue.
Thanks for making these available; the Decoy app sounds particularly innovative.
Yes, presumably this danger could be mitigated through a combination of code inspection and sandboxing. But, one of Nanashi’s stated motivations for developing this was that “I had yet to find an easy way to do this that didn’t involve downloading command-line based software”. I doubt that anyone who is adverse to running a command-line program would be very excited about inspecting a javascript application for security vulnerabilities and/or sandboxing it each time he/she wants to sign a message.
As much as I dislike blindly following rules in most cases, I think that ChristianKI is correct that any security-related web application ought to be secured via SSL.
I think what I could have been more clear about was the use case here: this tool in its current form is sort of “pre-Alpha”. Previously the script was just sitting locally on my computer and I thought it could be useful to others. If I ever try to deploy this on any sort of larger scale, absolutely it will be done on an SSL server. But for right now, it’s just being shared amongst a few friends and the LW community.
If it turns out that people are using the tool frequently, I’ll probably go ahead and pay to upgrade my hosting plan to SSL. But for something that’s a free tool not meant for wide distribution, which takes about 7 seconds to right click and hit “Save As”, I just didn’t see it as necessary just yet.
Understood. Obtaining an SSL cert is a hassle (and an expense if you obtain it from a cert authority) that may not be warranted for a pre-alpha release. As long as your users use discretion before signing using their “real” private keys, I don’t see any issue.
Thanks for making these available; the Decoy app sounds particularly innovative.