- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Fri, 18 Oct 2013 09:51:00 +0200
- To: Bruce Lawson <bruce@brucelawson.co.uk>
- Cc: public-web-mobile@w3.org
Le jeudi 17 octobre 2013 à 13:03 +0100, Bruce Lawson a écrit : > > * difficulty to hide the code of the app (and thus greater exposure to > > attacks) > > Hiding source code feels like a mistake to me. It's literally security > through obscurity, so shouldn't be encouraged at all I think there are 3 things people mean by "hiding the code": * they don't want others to steal their code; people often qualify this as meaning the Web force you to do open source (although that's a mischaracterization of what open source is) * they don't want to make it easy for others to find holes in their code * it's nearly impossible to embed a secret (e.g. a key) in the client-side part of the code Now, as an individual, I personally have had very little issue with the first two; and yes, the second has a smell of "security through obscurity" — but even if everybody agrees that you should not rely on security through obscurity, I think many would also agree that, given that you can't ever be 100% secure, obscurity sometimes helps practically reduce your risks. More importantly, I think the question is whether we feel that anyone joining the Web band-wagon is required to agree with disclosing (all of) their code and renouncing any hint of security through obscurity (no matter how each of us can feel personally about these points). I think in practice, there are two approaches that help not making this a requirement: * code obfuscation and scrambling makes it pretty hard to "steal" JavaScript code as is (probably in the same order as e.g. Java decompilation) * in many cases, apps have a server-side component where the code is completely kept away from the user, and where sensitive code can be more easily protected But I think there are likely useful questions to address: * is obfuscation really provenly as strong what you get from building native packaged apps? * what can be done (if anything) to make it possible to include secrets as part of your client-side code? * are there best practices that help separating client-side/server-side aspects based on security considerations while keeping e.g. off-line operations? So addressing this is probably a mix of documenting (in WebPlatform?) what's already possible, and researching what could be improved. Dom
Received on Friday, 18 October 2013 07:51:15 UTC