RE: Mobile, Web and Security

Hello all,

Although I completely agree with your comments about (2), the regulatory bodies even sometimes request this (obfustcation) as a level of protection/security. What I understand is, although it theoretically does not help the protection of the system at all, in practice it is just making it hard to break, so this validates the use for it. From JS point of view, it is probably OK just to use minimizers/obfuscation tools. So, I do not think it is a requirement in this context for this IG, but it is just a point to keep in mind. Also, the obfuscation is surely not a match for native apps (assuming the native app is coded in a non-intermediate language, so no Java), but I think due to heavy adoption of JVM, it is not much of a problem, and even if it was, we cannot do much about it in this context.

Best,

Mete

________________________________________
From: Dominique Hazael-Massieux <dom@w3.org>
Sent: Friday, October 18, 2013 11:17
To: Tobie Langel
Cc: Bruce Lawson; public-web-mobile@w3.org
Subject: Re: Mobile, Web and Security

Le vendredi 18 octobre 2013 à 10:04 +0200, Tobie Langel a écrit :
> > I think there are 3 things people mean by "hiding the code":
> > * they don't want others to steal their code; people often qualify this
> > as meaning the Web force you to do open source (although that's a
> > mischaracterization of what open source is)
> > * they don't want to make it easy for others to find holes in their code
> > * it's nearly impossible to embed a secret (e.g. a key) in the
> > client-side part of the code
>
> 1. is already handled by copyright laws and patents,
> 2. is a known bad-practice and shouldn't be encouraged,
> 3. is (or should be) in scope of the WebCrypto WG.
>
> So as Dom said, 1 and 2 require education and 3 driving this as a
> priority in the WebCrypto WG.

While I don't disagree with your assessment that there are other ways to
protect code assets (1) and the security of a given service (2), I think
sweeping away the facts that many people are not in a position to rely
solely on these other methods is unlikely to be sufficient to address
this problem.

I have had more than a few times conversations with developers where I
try to point out the very same thing that Bruce and you are pointing to,
but where the person I'm talking with will simply not be able to adopt
the Web as a platform if they have to start with making these specific
trade-offs.

In fact, I think both of you guys have worked with proprietary code
projects :), and I doubt that the fact that this code is protected by
copyright and patent laws has been sufficient to make that code be
publicly available.

Dom



________________________________
________________________________


Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına gönderemez veya hiçbir şekilde kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz ve göndereni uyarınız. Gönderen ve POZITRON YAZILIM A.Ş., bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir. Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunamamasından, virüs içermesinden ve sisteminizde yaratabileceği zararlardan Şirketimiz sorumlu tutulamaz.

This e-mail and its attachments are private and confidential to the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient, you may not copy, forward, send or use any part of it. If you are not the intended recipient or the person who is responsible to transmit to the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and its attachments. The sender and POZITRON YAZILIM A.S. do not warrant for the accuracy, currency, integrity or correctness of the information in the message and its attachments. POZITRON YAZILIM A.S. shall have no liability with regard to the information contained in the message, its transmission, reception, storage, preservation of confidentiality, viruses or any damages caused in anyway to your computer system.

Received on Friday, 18 October 2013 08:51:06 UTC