@fodder:This seems to be talking at cross-purposes. I am not positioning myself as an advocate or supporter of FrogTea, about which I am relatively ignorant - don't even use it - but merely as a supporter of the
innovative idea of the usefulness of
something like FrogTea and which I had always considered a novel approach, though not one that I would necessarily advocate using under all circumstances.
In doing this, I am thus
attempting to contribute something positive, constructive and potentially useful to DC Forum members, by extending and building on a discussion based on someone else's (
@berry's) proposal regarding an encryption tool.
Sure, I can see some potential weaknesses in the use of FrogTea, but what puzzled me in your initial response was what seemed to be your outright damning of the whole thing in this thread - for no compelling, apparent, verifiable and substantive reason - as though it could not possibly be
any kind of useful encryption tool. That would seem to be absurd.
In the other thread, you went further and even
asked what use/purpose it had and were seemingly mistakenly implying/thinking that I was putting FrogTea forward as some kind of a proposed technological solution to address the issues/problems in that other thread (which I decidedly wasn't doing and which would have been an absurd thing to do in any case).
So you apparently couldn't see the
purpose of FrogTea, and yet you effectively damned it as being
entirely not fit for purpose, which would seem to be contradictory.
That all rather seemed to me as though you might be having an irrational outburst of some kind, as though you simply just didn't like the thing, nor any part of it, ignoring its potential - although it had what seemed to be
a valid and clear set of some strong pros and fewer cons as an encryption tool filling a niche (QED).
You could be (say) largely correct in what you write above, but where you write:
...For academia, that is. Our friendly three-letter agencies haven't got the same resource constraints, nor a drive for public glory. ...
_____________________
-f0dder
- it seems to be based on requirements from your perspective that might be somewhat purist/stringent and thus a tad over-the-top for the kind of domestic situation that I postulated for the average Joe:
However, for the purposes of securely encrypting the typical user's portable bits of personal/private/confidential HTML and text-based data - e.g., to protect against (say) the event where the device holding the data is lost/stolen - with the ability to sync/share it across several devices (all having java and browsers), and between specific trusted people, it seems that FrogTea could potentially be rather useful.
_______________________
-IainB
Indeed, it still does seem true that "...FrogTea could potentially be rather useful" - in that niche.
I could be wrong, of course, but I don't see where HTConsulting were suggesting that the
requirement was to lock out potential attacks from the likes of the NSA, or suggesting that it was even
desirable to have such a high standard of security that one could lock out the likes of the NSA. Maybe if
@berry was a habitué of the DC Forum, he would be able to enlighten us both on this matter, but meanwhile we shall just have to suppose.
That's why I made the joke about the unlikely extreme perspective - in the shape of my neighbour Dmitry - and pointed out the more likely relevance of a typical use case:
...If one wanted to explore this further, it could be interesting to know how xTEA has been broken, or something, and where that is documented, and how easy that might be to replicate for the average laptop/smartphone thief.
____________________
-IainB
- because that is arguably likely to be the typical use case that could be most relevant/applicable for the average Joe. However, it would be incorrect to interpret that - as you seemed to do - as meaning that the requirement was necessarily a
"...hard requirement of no other requirements than a browser (e.g. no executables)".I was not touching on what the requirements really were or
should be.
On the contrary, all I was attempting was to retrofit the features to suggest that FrogTea seemed to have the potential to be quite handy
if one felt one could make use of such-and-such FrogTea features as it possessed.
This is always remembering that features are not the same thing as requirements, and
vice versa.
If we
were concerned with the objective of locking out the SS (Secret Services) of this world for ordinary domestic IT users like myself, then I would suggest that this objective is already infeasible and would be "p#ss#ing in the wind", self-defeating and a huge waste of effort.
The SS have already amply demonstrated their power and that they are unstoppable, and if they
are blocked from covertly entering through the back door, then they will simply overtly break down the front door and enter that way, and then subject the user to methodical and excessively disproportionate violence (e.g., Kim Dotcom raid) and subsequent public and harmful, punitive treatment using an expensive and compliant state-controlled police and judiciary
across nations. This makes extraordinary public examples of those who fail to obey, to dissuade others from disobeying in future.
If I had thought that FrogTea was potentially
that good, then I probably would not recommend its use. It would probably only provoke the SS. So "threat modelling" would be excessive and going over the top again - for most domestic security purposes.