- From: Domenic Denicola <d@domenic.me>
- Date: Sat, 20 Dec 2014 03:51:59 +0000
- To: Tim Berners-Lee <timbl@w3.org>
- CC: Marc Fawzi <marc.fawzi@gmail.com>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
From: Tim Berners-Lee [mailto:timbl@w3.org]
> Yes, but once the webcrypto code is unpolyfilled into the browser that attack will go away, and you will be able to use it to build new trust systems, right?
No, sad to say. Since the network attacker could modify whatever JavaScript code you are using to implement those trust systems, or could even simply insert something like
Object.defineProperty(window.crypto, "subtle", {
get() {
return new CompletelyFakeWebCryptoImplementation();
}
});
Received on Saturday, 20 December 2014 03:52:30 UTC