You’re all over this thread posting bad takes. Of course you can do secure encryption in a browser. There’s absolutely nothing stopping you from using any encryption algorithms within a browser whatsoever. I don’t even understand what you could possibly mean. There are so many ways to achieve it.
There are numerous ways to place decryption backdoors into a website’s JavaScript. How would you make sure that there is no MITM when trying to safely encrypt (e.g.) an e-mail in your browser?
Of course you can do secure encryption in a browser.
Talking about “bad takes”, aren’t we? There is no way to ensure that your end-to-end encryption is not decrypted on the fly when done by a website (= a potential attacker).
Who said anything about a website? You said browser. You can run fully-local resources in a browser, such as browser extensions, locally hosted tools, even just running in a .html file on your local disk somewhere. Javascript also isn’t the only option available to solve this problem.
You can run fully-local resources in a browser, such as browser extensions, locally hosted tools, even just running in a .html file on your local disk somewhere.
How would you do that without violating essential security measurements?
Create or download an implementation of your preferred encryption algorithm for Javascript (or use some WebAssembly alternative). e.g. https://github.com/ricmoo/aes-js
Run the implementation on your local computer and open it in a browser.
You are aware that WASM requires JS, right?
I mean, yes, running the application itself would be secure, but that’s not in the browser. You cannot trust your browser. Ever.
Counter-point: Cubeless and platforms like it are close enough to a browser and handle that. Also by the very loose definition of secure encryption, https.
“Close enough to a browser” isn’t a browser. GnuPG in a browser just won’t work and most other encryption facilities aren’t quite as secure (and transparent).
Counter-example: secure encryption. You can’t do that in a browser.
You’re all over this thread posting bad takes. Of course you can do secure encryption in a browser. There’s absolutely nothing stopping you from using any encryption algorithms within a browser whatsoever. I don’t even understand what you could possibly mean. There are so many ways to achieve it.
There are numerous ways to place decryption backdoors into a website’s JavaScript. How would you make sure that there is no MITM when trying to safely encrypt (e.g.) an e-mail in your browser?
Talking about “bad takes”, aren’t we? There is no way to ensure that your end-to-end encryption is not decrypted on the fly when done by a website (= a potential attacker).
Who said anything about a website? You said browser. You can run fully-local resources in a browser, such as browser extensions, locally hosted tools, even just running in a .html file on your local disk somewhere. Javascript also isn’t the only option available to solve this problem.
Not sure if you’re just trolling at this point.
You said:
No, you can’t. I explained why.
…and I just explained to you how you can?
Ok, I’ll bite:
How would you do that without violating essential security measurements?
Hope this helps.
You are aware that WASM requires JS, right?
I mean, yes, running the application itself would be secure, but that’s not in the browser. You cannot trust your browser. Ever.
Counter-point: Cubeless and platforms like it are close enough to a browser and handle that. Also by the very loose definition of secure encryption, https.
That’s a very loose definition indeed.
“Close enough to a browser” isn’t a browser. GnuPG in a browser just won’t work and most other encryption facilities aren’t quite as secure (and transparent).