W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: The futile war between Native and Web

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 19 Feb 2015 14:43:27 -0500
Message-ID: <CAH8yC8mpoaS+Gvk40FGaYSN_5F9Wjspv4nU+WNcJR1quMBcb8g@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: public-webapps WG <public-webapps@w3.org>
On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Jeffrey Walton wrote:
>>Here's yet another failure that Public Key Pinning should have
>>stopped, but the browser's rendition of HPKP could not stop because of
>>the broken security model:
>>http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/.
>
> In this story the legitimate user with full administrative access to the
> systems is Lenovo. I do not really see how actual user agents could have
> "stopped" anything here. Timbled agents that act on behalf of someone
> other than the user might have denied users their right to modify their
> system as Lenovo did here, but that is clearly out of scope of browsers.
> --
Like I said, the security model is broken and browser based apps can
only handle low value data.

Jeff
Received on Thursday, 19 February 2015 19:43:55 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC