W3C home > Mailing lists > Public > public-sysapps@w3.org > November 2012

Re: how to protect javascript codes

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Sat, 17 Nov 2012 11:51:13 +0900
Message-ID: <CAE-+aYJPLqF6VxebF1z71XNBCVk926v7jteJ+N4pnGnQon3WTQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "webcrypto-comments@w3.org" <webcrypto-comments@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-sysapps@w3.org" <public-sysapps@w3.org>
HTTPS covers transmission security.

my concerns is stored (session or local storage) JS integrity.
it can be modified by proxy with code rewrite.

I'm comparing javascript with binary plugins (like activeX or applet)
under the activeX or java applet
the code integrity can be verified by signature with signer's certificate.

I'm expecting similar mechanisms.


On Sat, Nov 17, 2012 at 11:06 AM, Hill, Brad <bhill@paypal-inc.com> wrote:

>  Loading over HTTPS is the typical way to ensure the authenticity of
> origin and integrity in transport of Web applications and JavaScript.****
>
> ** **
>
> I think we could better answer your question if you can help us understand
> why HTTPS isnít adequate.****
>
> ** **
>
> -Brad Hill****
>
> ** **
>
> *From:* mountie@paygate.net [mailto:mountie@paygate.net] *On Behalf Of *Mountie
> Lee
> *Sent:* Friday, November 16, 2012 5:07 PM
> *To:* webcrypto-comments@w3.org
> *Cc:* public-webappsec@w3.org; public-sysapps@w3.org
> *Subject:* how to protect javascript codes****
>
> ** **
>
> Hi.****
>
> ** **
>
> I have a question.****
>
> ** **
>
> how to protect javascript codes loaded from remote server or installed
> webapps?****
>
> ** **
>
> I were trying to find protecting mechanism. but fail to find exact
> description from documents of webcrypto WG, WebAppSecWG and SysApp WG.****
>
> ** **
>
> the reason why we need to protect javascript codes are as following****
>
> - javascript codes are easily changed on client side.****
>
> - service provider want to make sure the business logic implemented with
> javascript is exactly same to server's****
>
> ** **
>
> I think hosted JS model and installable webapp model has no different.****
>
> ** **
>
> for installable webapp model, ****
>
> before installing webapp, it have to be verified the integrity of webapp.*
> ***
>
> ** **
>
> these requirements are mentioned in many email threads or usecases on
> webcrypto WG****
>
> at "security of a client-side JS API" (
> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Nov/subject.html
> )****
>
> at http://www.w3.org/2012/webcrypto/wiki/Use_Cases#Signed_web_applications
> ****
>
> ** **
>
> JOSE is focusing to json returned data itself. it can not cover js code
> itself.****
>
> ** **
>
> I have discussed with a member of SysApp WG.****
>
> and even by the joint session at TPAC with webappsec WG****
>
> ** **
>
> I can not get proper answer.****
>
> ** **
>
> do we need to consider protecting mechanism for loaded or installed
> javascript codes?****
>
>
> ****
>
> ** **
>
> --
> Mountie Lee
>
> PayGate****
>
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net****
>
> ** **
>
> =======================================****
>
> PayGate Inc.****
>
> THE STANDARD FOR ONLINE PAYMENT****
>
> for Korea, Japan, China, and the World****
>
> ** **
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Saturday, 17 November 2012 02:51:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 17 November 2012 02:51:58 GMT