W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2012

Re: how to protect javascript codes

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Sat, 17 Nov 2012 11:25:47 +0900
Message-ID: <CAE-+aY+b30KW9hx73MDP=6ZLv3chLN9u5iXD_a5LHpUDU2AgFA@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
I know it can not be guaranteed 100%.

but I found similar approach in mozilla site.


the aim of Signed Script in Mozilla is actually same to my concerns.

is there any discussions for mozilla signed script project?

On Sat, Nov 17, 2012 at 10:49 AM, Dan Veditz <dveditz@mozilla.com> wrote:

> On 11/16/12 5:07 PM, Mountie Lee wrote:
>> the reason why we need to protect javascript codes are as following
>> - javascript codes are easily changed on client side.
>> - service provider want to make sure the business logic implemented with
>> javascript is exactly same to server's
> You can't ever guarantee that. In the trivial case let's say we do come up
> with a fool-proof mechanism, then a user can just create their own client
> without that mechanism (both Gecko and Webkit are open source).
> So who's your threat? If it's the user give up now. The user's computer
> likewise: malware can replace or hack into browser components.
> If both the user and site are trustworthy then we can do things to make
> sure the code is reliably transmitted between the two. The WebAppSec
> working group has discussed things along these lines.
> -Dan Veditz

Mountie Lee

Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

PayGate Inc.
for Korea, Japan, China, and the World
Received on Saturday, 17 November 2012 02:26:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC