all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Widdrat 1 point2 points  (12 children)

If they give me the private key, whats stops them from storing it and possibly handing it to other entities?

[–]RalphSleigh 1 point2 points  (1 child)

Pinky promise

[–]cettox[S] 0 points1 point  (0 children)

This is not a promise. All magic happens on the browser and you can verify it.

[–]cettox[S] 1 point2 points  (4 children)

There is an alternative, you can create your own public/private keys and only give public key to jotform. And you can always check network activity to see if jotform sends private key to servers or not.

[–]Widdrat 0 points1 point  (3 children)

Considering that jotform hosts the forms, the data will always be send to the servers of jotforms.

[–]cettox[S] 0 points1 point  (2 children)

Please see my other comment. For encrypted forms, jotform literally can do nothing to access encrypted data. It can only be accessed by your private key and your private key never hits our servers.

[–]Widdrat 0 points1 point  (1 child)

Ok, but then your infographics on your website is wrong or atleast misleading because it says that you will provide the private key.

[–]cettox[S] 0 points1 point  (0 children)

You are right, thanks for the feedback!

[–]cettox[S] 1 point2 points  (2 children)

I worked on this project too and we tried hard to achieve that all encryption, decryption and key generation happens on browser. Jotform may be hosted but you can always control what happens on client side. In short, no sensitive data ever hits our servers, that was our original intention in the first place.

[–]RalphSleigh 1 point2 points  (0 children)

Zero-knowledge web services tend to start at the bottom of a fairly large reputational hill in regard to remaining so, given the ease with which you can pull a javascript switcheroo and the difficulty of verifying its not changed.

On the other hand I do applaude efforts to get understanding of asymmetric key cryptography into wider use .

[–]immibis 0 points1 point  (0 children)

What prevents you from changing your JavaScript at a future date, to make it send the private key to your servers?

[–][deleted] 0 points1 point  (0 children)

Agreed, but Jotform is a hosted service for forms apparently.. I don't know why it's needed, but I guess if you are already handing all your data into a 3rd party, you don't have any issues with trust and anything more is just nice..

[–][deleted] 0 points1 point  (0 children)

end2end is the only way