Each email or file has its own unique key, which is stored
in and protected by a keystore in my butt. By default,
the Virtru keystore is used, but advanced users will be
able to operate their own key stores.
Our base case is indeed symmetric for each message (the key distribution is over Elliptic Curve Diffie Hellman Ephemeral).
The number one reason why we allow for symmetric message keys is to allow you to send an encrypted message to anyone, even if they don't have public keys somewhere. Distributing and using private/public keys in a trusted AND easy to use way is a problem we're currently working to solve, and will add as soon as we get that done in a way that doesn't make our software so hard to use that people stop using it.
I would say yes. Pop-unders should be blocked, and modern browsers work pretty hard to, but it is often viewed as a "low priority" sec issue, and so workarounds are found, ignored, used in the wild, and patched. Here is one implementation, I have seen working versions up to Chrome ~30:
Another serious security issue is when the popunder waits for a while as the parent frame navigates itself to e.g. "java.com", then the child navigates the parent to a malicious drive-by download. This can make it appear to "spoof" a drive-by download. This attack vector has been known and ignored forever (I think Zalewski published about this years back). IE9 and 10 actually do a good job preventing this, but I know it works in most modern browsers.
It depends what you mean by the term "associated browser security." The method they are describing stops CSRF attacks dead in their tracks (e.g. if dev set up a GET endpoint that should have been POST/PUT), prevents plaintext cookies from being stored in a nicely organized sqlite db on disk, and limits the scope of xss (xss on a 404 page would get you nothing).
> Aren't cookies restricted for a reason? Can't anyone who can execute JS on that domain can swipe the JWT token out of storage and then impersonate the user?
HTTP-only cookies prevent attacker from swiping yes, but if you have the ability to execute JS on an arbitrary domain, you can just do your XSS attacks there, the browser will attach the cookie, and attacker has already won.
Of course it is not a perfect solution. Just more depth. XSS into a page that inlines auth details = instant pwn, but that was already true anyways. Inlining cred info into my javascript gives be a bad feeling too.
Congrats, I have been waiting to see someone build something like this for a while. This is truly a glimpse into the future :)
Edit: I should have vetted this a little harder before commenting. I recognized the idea immediately, but the implementation here is rather lacking. Still, props for pushing the envelop.
Not really anything useful in this article. To make fibonacci "non-blocking", you use process.nextTick callbacks to "interweave" the computations, just like real threads!
It's a public wifi network that is broadcast from a device that is (probably) on your LAN. Attacker connects, finds some vulnerability, and has unrestricted access to the LAN. That is just one attack vector.
;tdlr it degrades your security, and is generally annoying.
