W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Fri, 19 Dec 2014 21:06:11 -0700
To: Domenic Denicola <d@domenic.me>
Cc: Tim Berners-Lee <timbl@w3.org>, Marc Fawzi <marc.fawzi@gmail.com>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Message-Id: <20141219210611.c3b41250672abce76091cafd@bisonsystems.net>
Domenic Denicola wrote:
> Tim Berners-Lee wrote:
> > Yes, but once the webcrypto code is unpolyfilled into the browser
> > that attack will go away, and you will be able to use it to build
> > new trust systems, right? 
> No, sad to say. Since the network attacker could modify whatever
> JavaScript code you are using to implement those trust systems...

Depends on the implementation. If my HTML text says "this site has been
compromised, do not trust" but is only removed by *my* JS, then the
attack would have to be so specific that the attacker's budget could
get around anything I could do to stop it.

Although the specifics of the Sony hack show that such a budget doesn't
need to be huge, sloppy code and all; still glad I quit using NetBIOS in
'98 or so.

Just sayin' there's ways to code, and there's ways to code. I can't do
anything about NetBIOS vulnerabilities, but I can control what my HTML
and scripting accomplish, and alert users if they aren't.

Received on Saturday, 20 December 2014 04:06:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC