Re: Mobile, Web and Security from Dominique Hazael-Massieux on 2013-10-18 (public-web-mobile@w3.org from October 2013)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Fri, 18 Oct 2013 09:51:00 +0200
To: Bruce Lawson <bruce@brucelawson.co.uk>
Cc: public-web-mobile@w3.org
Message-ID: <1382082660.12465.86.camel@cumulustier>

Le jeudi 17 octobre 2013 à 13:03 +0100, Bruce Lawson a écrit :
> > * difficulty to hide the code of the app (and thus greater exposure to
> > attacks)
>
> Hiding source code feels like a mistake to me. It's literally security  
> through obscurity, so shouldn't be encouraged at all

I think there are 3 things people mean by "hiding the code":
* they don't want others to steal their code; people often qualify this
as meaning the Web force you to do open source (although that's a
mischaracterization of what open source is)
* they don't want to make it easy for others to find holes in their code
* it's nearly impossible to embed a secret (e.g. a key) in the
client-side part of the code

Now, as an individual, I personally have had very little issue with the
first two; and yes, the second has a smell of "security through
obscurity" — but even if everybody agrees that you should not rely on
security through obscurity, I think many would also agree that, given
that you can't ever be 100% secure, obscurity sometimes helps
practically reduce your risks.

More importantly, I think the question is whether we feel that anyone
joining the Web band-wagon is required to agree with disclosing (all of)
their code and renouncing any hint of security through obscurity (no
matter how each of us can feel personally about these points).

I think in practice, there are two approaches that help not making this
a requirement:
* code obfuscation and scrambling makes it pretty hard to "steal"
JavaScript code as is (probably in the same order as e.g. Java
decompilation)

* in many cases, apps have a server-side component where the code is
completely kept away from the user, and where sensitive code can be more
easily protected

But I think there are likely useful questions to address:
* is obfuscation really provenly as strong what you get from building
native packaged apps?

* what can be done (if anything) to make it possible to include secrets
as part of your client-side code?

* are there best practices that help separating client-side/server-side
aspects based on security considerations while keeping e.g. off-line
operations?

So addressing this is probably a mix of documenting (in WebPlatform?)
what's already possible, and researching what could be improved.

Dom

Received on Friday, 18 October 2013 07:51:15 UTC