- From: Tobie Langel <tobie@fb.com>
- Date: Fri, 17 Aug 2012 18:09:23 +0000
- To: Ryan Sleevi <sleevi@google.com>
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On 8/17/12 7:51 PM, "Ryan Sleevi" <sleevi@google.com> wrote: >On Fri, Aug 17, 2012 at 5:47 AM, Tobie Langel <tobie@fb.com> wrote: > >So I would seek one clarification: Do you trust the client's local >cache (eg: HTTP cache)? Yes. It is not vulnerable to simple scripting through the browser's console. :) >It would seem like an attacker with local >privilege could just as trivially inject code to the cached entry on >disk, and from there bypass the app-specific signature verification. I am not a security expert and I don't know the specifics of how browsers cache scripts received through SSL. (Which itself is an indication of the difference in threat level between both types of attack). Also, I suppose performing such an attack on certain mobile devices like the iPhone probably imply rooting the device first. This scenario doesn't. --tobie
Received on Friday, 17 August 2012 18:10:00 UTC