as far as i can see, client-side e2e encryption in the browser requires *a bunch* of changes to browser tech?

we can't do it with cookies holding the private keys, since many people block cookie usage & cookies are readable by anyone. we'd need to have local storage that the server authenticates for, otherwise any server would be able to read out the private key from storage via js & send it to the attacking server…

Follow

@niplav

If you don't trust the entities that hold valid (according to your browser) TLS keys for the domain that provides the software, then you can't do anything: whoever provides the software can start providing software that does something different than you want it to do.

If you do trust any entity that holds valid TLS keys for some domain, then you can have javascript provided by that domain use normal localStorage (developer.mozilla.org/en-US/do). localStorage is bound to origin: i.e. the browser will allow code that executes in context of a page to access localStorage for that page's origin and no other (by "origin" I mean essentially the domain: developer.mozilla.org/en-US/do).

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.