[tor-dev] Grailo.net is live (but very young)

tor at lists.grepular.com tor at lists.grepular.com
Sun Dec 2 13:44:16 UTC 2012


On 01/12/12 23:39, Clay Graham wrote:

> You may remember an email from me about a week ago, and I could really
> use some pointers.
> 
> We just stealth launched an alpha version of http://grailo.net and I
> would love all of you to try it out and give me feedback. Its 100% open
> source, 100% free, and you can even fork the project yourself on github. 
> 
> Its goal: Create a simple to use client side, RSA public key encryption
> for microblogging on the internet.
>  
> The reason I am reaching out to you is I am I am interested in creating
> a client side plugin for the TOR browser so that people can use the
> client side encryption safely and privately, and without fear. Since
> scripting is disabled in TOR, with good reason, I want a plugin that is
> blessed by the TOR project as open and safe for encryption.
> 
> Any leads on where to get started are greatly appreciated.

I can't trust any javascript that your service sends to my browser over
Tor, because you don't use https. That javascript on the signup page
which generates your private key... How do I know that script came from
your server and that it's not a modified version which came from an exit
node, which is going to report the key back to them after it is generated?

At a bare minimum, before I would even start considering using this
service, every single resource that your site delivers should be sent
over https, all http connections should be redirected to https. HSTS
should be used so browsers remember to use https, and you should contact
the Chromium project to get yourself on their list of pinned SSL sites
for first time visitors (which is also used in Firefox now I believe),
and is also used in the HTTPS-Everywhere project for rule generation.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20121202/0d5d80a7/attachment.pgp>


More information about the tor-dev mailing list