- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Fri, 19 Dec 2014 21:06:11 -0700
- To: Domenic Denicola <d@domenic.me>
- Cc: Tim Berners-Lee <timbl@w3.org>, Marc Fawzi <marc.fawzi@gmail.com>, Chris Palmer <palmer@google.com>, Melvin Carvalho <melvincarvalho@gmail.com>, Mark Nottingham <mnot@mnot.net>, Public TAG List <www-tag@w3.org>
Domenic Denicola wrote: > > Tim Berners-Lee wrote: > > > Yes, but once the webcrypto code is unpolyfilled into the browser > > that attack will go away, and you will be able to use it to build > > new trust systems, right? > > No, sad to say. Since the network attacker could modify whatever > JavaScript code you are using to implement those trust systems... > Depends on the implementation. If my HTML text says "this site has been compromised, do not trust" but is only removed by *my* JS, then the attack would have to be so specific that the attacker's budget could get around anything I could do to stop it. Although the specifics of the Sony hack show that such a budget doesn't need to be huge, sloppy code and all; still glad I quit using NetBIOS in '98 or so. Just sayin' there's ways to code, and there's ways to code. I can't do anything about NetBIOS vulnerabilities, but I can control what my HTML and scripting accomplish, and alert users if they aren't. -Eric
Received on Saturday, 20 December 2014 04:06:52 UTC