The bigger problem is that this model is inherently flawed. Even if end-to-end encryption with browser crypto were implemented, there is never any security since the code in the browser can simply be swapped with compromised code that diverts the plaintext somewhere.

I've been forced to use this service, by way of healthcare professionals just disclosing correspondence to this service without asking for my consent.

Smeerlappen.

▲

tucnak a day ago | parent | next [-]

> there is never any security since the code in the browser can simply be swapped with compromised code that diverts the plaintext somewhere.

This is not the case in the land of DICE-like key derivation; see TKey protocol for example. You can download and run an actual rv32 program on actual FPGA over WebUSB without having to worry about its provenance. If the program is modified, firmware will derive a completely different key.

▲

pareidolia a day ago | parent [-]

Zivver is a web application. The javascript that comes with the webpage can change at any time for any reason, as Zivver sees fit.

▲

tucnak a day ago | parent [-]

I'm simply pointing out that web standards allow for secure end-to-end communication, and more, in fact they happen to allow arbitrary cryptographic constructions—as long as the program itself never changes.

▲

pareidolia a day ago | parent [-]

But this requires special hardware right?

	▲	tucnak a day ago \| parent [-]
		Not necessarily. You can run TKey in qemu :-) etc. The hardware aspect is what makes it easy to use, with WebUSB and all. The derivation algorithm is key. And it takes program binary as parameter to Blake2 hash function.

▲

_el1s7 a day ago | parent | prev [-]

Security is an illusion.

▲

pareidolia a day ago | parent [-]

Then reply with your passwords.

▲

sallveburrpi a day ago | parent [-]

******

Luckily HN automatically detects when you post your password and obfuscates it with * - try it out yourself!

▲

pareidolia a day ago | parent | next [-]