Re: What I am missing from Michaela Merz on 2014-11-19 (public-webapps@w3.org from October to December 2014)

From: Michaela Merz <michaela.merz@hermetos.com>
Date: Wed, 19 Nov 2014 06:35:07 +0100
To: public-webapps@w3.org
Message-ID: <546C2C0B.1050809@hermetos.com>

Well .. it would be a "all scripts signed" or "no script signed" kind of
a deal. You can download malicious code everywhere - not only as
scripts. Signed code doesn't protect against malicious or bad code. It
only guarantees that the code is actually from the the certificate owner
.. and has not been altered without the signers consent.

Michaela
 


On 11/19/2014 06:14 AM, Marc Fawzi wrote:
> "Allowing this script to run may open you to all kinds of malicious
> attacks by 3rd parties not associated with the party whom you're
> trusting." 
>
> If I give App XYZ super power to do anything, and XYZ gets
> compromised/hacked then I'll be open to all sorts of attacks.
>
> It's not an issue of party A trusting party B. It's an issue of
> trusting that party B has no security holes in their app whatsoever,
> and that is one of the hardest things to guarantee.
>
>
> On Tue, Nov 18, 2014 at 8:00 PM, Michaela Merz
> <michaela.merz@hermetos.com <mailto:michaela.merz@hermetos.com>> wrote:
>
>
>     Yes Boris - I know. As long as it doesn't have advantages for the user
>     or the developer - why bother with it? If signed code would allow
>     special features - like true fullscreen or direct file access  - it
>     would make sense. Signed code would make script much more resistant to
>     manipulation and therefore would help in environments where trust
>     and/or
>     security is important.
>
>     We use script for much, much more than we did just a year or so ago.
>
>     Michaela
>
>
>
>     On 11/19/2014 04:40 AM, Boris Zbarsky wrote:
>     > On 11/18/14, 10:26 PM, Michaela Merz wrote:
>     >> First: We need signed script code.
>     >
>     > For what it's worth, Gecko supported this for a while.  See
>     >
>     <http://www-archive.mozilla.org/projects/security/components/signed-scripts.html>.
>     >  In practice, people didn't really use it, and it made the security
>     > model a _lot_ more complicated and hard to reason about, so the
>     > feature was dropped.
>     >
>     > It would be good to understand how proposals along these lines
>     differ
>     > from what's already been tried and failed.
>     >
>     > -Boris
>     >
>
>
>
>

Received on Wednesday, 19 November 2014 05:35:36 UTC