W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Fri, 19 Dec 2014 21:06:11 -0700
To: Domenic Denicola <d@domenic.me>
Cc: Tim Berners-Lee <timbl@w3.org>, Marc Fawzi <marc.fawzi@gmail.com>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Message-Id: <20141219210611.c3b41250672abce76091cafd@bisonsystems.net>
Domenic Denicola wrote:
>
> Tim Berners-Lee wrote:
> 
> > Yes, but once the webcrypto code is unpolyfilled into the browser
> > that attack will go away, and you will be able to use it to build
> > new trust systems, right? 
> 
> No, sad to say. Since the network attacker could modify whatever
> JavaScript code you are using to implement those trust systems...
> 

Depends on the implementation. If my HTML text says "this site has been
compromised, do not trust" but is only removed by *my* JS, then the
attack would have to be so specific that the attacker's budget could
get around anything I could do to stop it.

Although the specifics of the Sony hack show that such a budget doesn't
need to be huge, sloppy code and all; still glad I quit using NetBIOS in
'98 or so.

Just sayin' there's ways to code, and there's ways to code. I can't do
anything about NetBIOS vulnerabilities, but I can control what my HTML
and scripting accomplish, and alert users if they aren't.

-Eric
Received on Saturday, 20 December 2014 04:06:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC