Yeah but no user is ever going to be able to remember either of those passwords, even the website encourages people to write it down. So when the FBI raids Johnny's house and they find his post-it note next to his…
Sooo what happens when whiteout gets an NSL and suddenly the "we don't store the keycode on our server.... trust us" mantra gets thrown out the window? Why invent your own authentication protocol with AES-256-GCM when…
The main crux of this whole post is that PGP is still good it's just that it's hard to use and there's no mobile support. Unfortunately for whiteout, there are many different mobile PGP implementations that do…
I find it hilarious you're still fixated on the idea of the trust chain and haven't addressed any of my actual points about the crypto, besides making a lot of hand-waving and saying "well it's not secure, BUT NOTHING'S…
Actually that's not what I'm saying at all. I'm critiquing the implementation of this for several reasons: -The JS crypto can be trivially MiTMed. Your approach of checksumming the JS you outlined in another comment…
4) So they can redirect all users to a non-HTTPS site. That's interesting. What youre saying is ridiculous, it's nothing to do with "completely" trustless, you're not trustworthy at all. The "we promise we wont serve…
1. This is not about being perfect, this is about being trustworthy or secure. Right now this is very dangerous to be promoting as even remotely private, as you claim on both your website and twitter. This is no more…
Yeah... this is a really dangerous and fundamentally flawed idea. Anyone with a basic grasp of cryptography will realize how obviously broken this is: 1. It uses JS encryption, which is essentially useless as you could…
Yeah but no user is ever going to be able to remember either of those passwords, even the website encourages people to write it down. So when the FBI raids Johnny's house and they find his post-it note next to his…
Sooo what happens when whiteout gets an NSL and suddenly the "we don't store the keycode on our server.... trust us" mantra gets thrown out the window? Why invent your own authentication protocol with AES-256-GCM when…
The main crux of this whole post is that PGP is still good it's just that it's hard to use and there's no mobile support. Unfortunately for whiteout, there are many different mobile PGP implementations that do…
I find it hilarious you're still fixated on the idea of the trust chain and haven't addressed any of my actual points about the crypto, besides making a lot of hand-waving and saying "well it's not secure, BUT NOTHING'S…
Actually that's not what I'm saying at all. I'm critiquing the implementation of this for several reasons: -The JS crypto can be trivially MiTMed. Your approach of checksumming the JS you outlined in another comment…
4) So they can redirect all users to a non-HTTPS site. That's interesting. What youre saying is ridiculous, it's nothing to do with "completely" trustless, you're not trustworthy at all. The "we promise we wont serve…
1. This is not about being perfect, this is about being trustworthy or secure. Right now this is very dangerous to be promoting as even remotely private, as you claim on both your website and twitter. This is no more…
Yeah... this is a really dangerous and fundamentally flawed idea. Anyone with a basic grasp of cryptography will realize how obviously broken this is: 1. It uses JS encryption, which is essentially useless as you could…