W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: The futile war between Native and Web

From: Michaela Merz <michaela.merz@hermetos.com>
Date: Thu, 19 Feb 2015 14:55:09 -0600
Message-ID: <54E64DAD.8090600@hermetos.com>
To: noloader@gmail.com, Bjoern Hoehrmann <derhoermi@gmx.net>
CC: public-webapps WG <public-webapps@w3.org>

I am not sure about that. Based on the premise that the browser itself
doesn't leak data, I think it is possible to make a web site safe.  In
order to achieve that, we to make sure, that

a) the (script) code doesn't misbehave (=CSP);
b) the integrity of the (script) code is secured on the server and while
in transit;

I believe both of those imperative necessities are achievable.

Michaela


On 02/19/2015 01:43 PM, Jeffrey Walton wrote:
> On Thu, Feb 19, 2015 at 1:44 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
>> * Jeffrey Walton wrote:
>>> Here's yet another failure that Public Key Pinning should have
>>> stopped, but the browser's rendition of HPKP could not stop because of
>>> the broken security model:
>>> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/.
>> In this story the legitimate user with full administrative access to the
>> systems is Lenovo. I do not really see how actual user agents could have
>> "stopped" anything here. Timbled agents that act on behalf of someone
>> other than the user might have denied users their right to modify their
>> system as Lenovo did here, but that is clearly out of scope of browsers.
>> --
> Like I said, the security model is broken and browser based apps can
> only handle low value data.
>
> Jeff
>
Received on Thursday, 19 February 2015 20:55:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC