On Wed, Nov 19, 2014 at 12:35 AM, Michaela Merz <michaela.merz@hermetos.com> wrote: > Well .. it would be a "all scripts signed" or "no script signed" kind of a > deal. You can download malicious code everywhere - not only as scripts. > Signed code doesn't protect against malicious or bad code. It only > guarantees that the code is actually from the the certificate owner .. and > has not been altered without the signers consent. Seems relevant: "Java’s Losing Security Legacy", http://threatpost.com/javas-losing-security-legacy and "Don't Sign that Applet!", https://www.cert.org/blogs/certcc/post.cfm?EntryID=158. Dormann advises "don't sign" so that the code can't escape its sandbox and it stays restricted (malware regularly signs to do so).Received on Wednesday, 19 November 2014 06:02:02 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:32 UTC