W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

RE: Draft finding - "Transitioning the Web to HTTPS"

From: Domenic Denicola <d@domenic.me>
Date: Sat, 20 Dec 2014 03:51:59 +0000
To: Tim Berners-Lee <timbl@w3.org>
CC: Marc Fawzi <marc.fawzi@gmail.com>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Message-ID: <CY1PR0501MB136954D135EB0169F92421DDDF680@CY1PR0501MB1369.namprd05.prod.outlook.com>
From: Tim Berners-Lee [mailto:timbl@w3.org] 

> Yes, but once the webcrypto code is unpolyfilled into the browser that attack will go away, and you will be able to use it to build new trust systems, right? 

No, sad to say. Since the network attacker could modify whatever JavaScript code you are using to implement those trust systems, or could even simply insert something like

Object.defineProperty(window.crypto, "subtle", {
  get() {
    return new CompletelyFakeWebCryptoImplementation();
Received on Saturday, 20 December 2014 03:52:30 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC