Re: What I am missing from Marc Fawzi on 2014-11-19 (public-webapps@w3.org from October to December 2014)

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Tue, 18 Nov 2014 22:07:39 -0800
To: Michaela Merz <michaela.merz@hermetos.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <CACioZisRPhrkUb0OMMAFd6WkqyLnxdSYutLDBiiAkGz43p9jMA@mail.gmail.com>

<<
Signed code doesn't protect against malicious or bad code. It only
guarantees that the code is actually from the the certificate owner
>>

if I trust you and allow your signed script the permissions it asks for and
you can't guarantee that it would be used by some malicious 3rd party site
to hack me (i.e. the security holes in your script get turned against me)
then there is just too much risk in allowing the permissions

the concern is that the average user will not readily grasp the risk
involved in granting certain powerful permissions to some insecure script
from a trusted source

On Tue, Nov 18, 2014 at 9:35 PM, Michaela Merz <michaela.merz@hermetos.com>
wrote:

>  Well .. it would be a "all scripts signed" or "no script signed" kind of
> a deal. You can download malicious code everywhere - not only as scripts.
> Signed code doesn't protect against malicious or bad code. It only
> guarantees that the code is actually from the the certificate owner .. and
> has not been altered without the signers consent.
>
> Michaela
>
>
>
>
> On 11/19/2014 06:14 AM, Marc Fawzi wrote:
>
> "Allowing this script to run may open you to all kinds of malicious
> attacks by 3rd parties not associated with the party whom you're
> trusting."
>
>  If I give App XYZ super power to do anything, and XYZ gets
> compromised/hacked then I'll be open to all sorts of attacks.
>
>  It's not an issue of party A trusting party B. It's an issue of trusting
> that party B has no security holes in their app whatsoever, and that is one
> of the hardest things to guarantee.
>
>
> On Tue, Nov 18, 2014 at 8:00 PM, Michaela Merz <michaela.merz@hermetos.com
> > wrote:
>
>>
>> Yes Boris - I know. As long as it doesn't have advantages for the user
>> or the developer - why bother with it? If signed code would allow
>> special features - like true fullscreen or direct file access  - it
>> would make sense. Signed code would make script much more resistant to
>> manipulation and therefore would help in environments where trust and/or
>> security is important.
>>
>> We use script for much, much more than we did just a year or so ago.
>>
>> Michaela
>>
>>
>>
>> On 11/19/2014 04:40 AM, Boris Zbarsky wrote:
>> > On 11/18/14, 10:26 PM, Michaela Merz wrote:
>> >> First: We need signed script code.
>> >
>> > For what it's worth, Gecko supported this for a while.  See
>> > <
>> http://www-archive.mozilla.org/projects/security/components/signed-scripts.html
>> >.
>> >  In practice, people didn't really use it, and it made the security
>> > model a _lot_ more complicated and hard to reason about, so the
>> > feature was dropped.
>> >
>> > It would be good to understand how proposals along these lines differ
>> > from what's already been tried and failed.
>> >
>> > -Boris
>> >
>>
>>
>>
>>
>
>

Received on Wednesday, 19 November 2014 06:08:47 UTC