All JS is executed in the browser. If the malicious site wanted to steal the dat... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nwsm on March 23, 2020 \| parent \| context \| favorite \| on: End-to-end encryption in the browser All JS is executed in the browser. If the malicious site wanted to steal the data, it must send the key to the server. With enough inspecting, debugging, and network watching you would be able to see what they're doing and how. While I agree you can obfuscate this in the JS payload, it doesn't make e2e encryption in web apps "meaningless". It would just take one user doing some due diligence to expose the malice.

vbezhenar on March 23, 2020 [–]

It does not work this way if this attack is targeted on a very few users and it's trivial to serve a different scripts to a different users.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact