- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Mon, 25 Nov 2013 22:57:13 +0100
- To: public-webrtc@w3.org
On 11/25/2013 08:44 PM, cowwoc wrote: >> still believe it to be insufficient. >> >>> And finally, couldn't you simply require the use of SSL for this >>> feature and >>> then ban malicious applications based on their certificate? >> How exactly were you going to identify an application as malicious? >> After they steal someone's life savings? Keep in mind that it's only >> the matter of milliseconds to stand up a new site with a new >> certificate. > This contradicts Justin's argument as I understood it. He stated that > by moving the code from JS into a browser extension Google could ban > malicious apps as they are found. I don't see the difference between > enforcing bans by way of extensions or by way of having developer > asking the app store to approve their application (point to an > external address + SSL certificate) and then if the application is > found to be malicious simply ban all apps associated with the SSL > certificate. This way Google still gets to review apps, ban the ones > that are malicious, and users don't need to go through the hassle of > installing a plugin. When there's no application to install, what constitutes "the app", exactly? A SSL certificate does not form a contract between anyone except the certificate issuer and the private-key owner. An application present in an app store indicates that the application owner has agreed to the terms and conditions for that app store, which usually gives the app store owner the explicit right to take down the application if it is found to be malicious. -- Surveillance is pervasive. Go Dark.
Received on Monday, 25 November 2013 21:57:48 UTC