- From: Mountie Lee <mountie.lee@mw2.or.kr>
- Date: Sat, 17 Nov 2012 11:25:47 +0900
- To: Dan Veditz <dveditz@mozilla.com>
- Cc: webcrypto-comments@w3.org, public-webappsec@w3.org, public-sysapps@w3.org
- Message-ID: <CAE-+aY+b30KW9hx73MDP=6ZLv3chLN9u5iXD_a5LHpUDU2AgFA@mail.gmail.com>
Hi. I know it can not be guaranteed 100%. but I found similar approach in mozilla site. http://www.mozilla.org/projects/security/components/signed-scripts.html the aim of Signed Script in Mozilla is actually same to my concerns. is there any discussions for mozilla signed script project? On Sat, Nov 17, 2012 at 10:49 AM, Dan Veditz <dveditz@mozilla.com> wrote: > On 11/16/12 5:07 PM, Mountie Lee wrote: > >> the reason why we need to protect javascript codes are as following >> - javascript codes are easily changed on client side. >> - service provider want to make sure the business logic implemented with >> javascript is exactly same to server's >> > > You can't ever guarantee that. In the trivial case let's say we do come up > with a fool-proof mechanism, then a user can just create their own client > without that mechanism (both Gecko and Webkit are open source). > > So who's your threat? If it's the user give up now. The user's computer > likewise: malware can replace or hack into browser components. > > If both the user and site are trustworthy then we can do things to make > sure the code is reliably transmitted between the two. The WebAppSec > working group has discussed things along these lines. > > -Dan Veditz > > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Saturday, 17 November 2012 02:26:34 UTC