W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

Re: how to protect javascript codes

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Sat, 17 Nov 2012 11:25:47 +0900
Message-ID: <CAE-+aY+b30KW9hx73MDP=6ZLv3chLN9u5iXD_a5LHpUDU2AgFA@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
Hi.
I know it can not be guaranteed 100%.

but I found similar approach in mozilla site.

http://www.mozilla.org/projects/security/components/signed-scripts.html

the aim of Signed Script in Mozilla is actually same to my concerns.

is there any discussions for mozilla signed script project?


On Sat, Nov 17, 2012 at 10:49 AM, Dan Veditz <dveditz@mozilla.com> wrote:

> On 11/16/12 5:07 PM, Mountie Lee wrote:
>
>> the reason why we need to protect javascript codes are as following
>> - javascript codes are easily changed on client side.
>> - service provider want to make sure the business logic implemented with
>> javascript is exactly same to server's
>>
>
> You can't ever guarantee that. In the trivial case let's say we do come up
> with a fool-proof mechanism, then a user can just create their own client
> without that mechanism (both Gecko and Webkit are open source).
>
> So who's your threat? If it's the user give up now. The user's computer
> likewise: malware can replace or hack into browser components.
>
> If both the user and site are trustworthy then we can do things to make
> sure the code is reliably transmitted between the two. The WebAppSec
> working group has discussed things along these lines.
>
> -Dan Veditz
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Saturday, 17 November 2012 02:26:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 17 November 2012 02:26:33 GMT