On Tue, Mar 26, 2013 at 09:24:13AM +0100, Yiorgis Gozadinos wrote: > > Assuming there is a point of reference for js code, some published instance > of the code, that can be audited and verified by others that it does not > leak. The point then becomes: "Is the js I am running in my browser the same > as the js that everybody else is?". > Like you said, it comes down to the trust one can put in the verifier. > A first step could be say for instance a browser extension, that compares a > hash of the js with a trusted authority. The simplest version of that would > be a comparison of a hash with a hash of the code on a repo. > Another (better) idea, would be if browser vendors would take up the task > (say Mozilla for instance) and act as the trusted authority and built-in > verifier. Developers would sign their code and the browser would verify. > Finally, I want to think there must be a way for users to broadcast some > property of the js they received. Say for example the color of a hash. Then > when I see blue when everyone else is seeing pink, I know there is something > fishy. There might be a way to even do that in a decentralised way, without > having to trust a central authority.
Dear Yiorgis: I think this is a promising avenue for investigation. I think the problem is that people like you, authors of user-facing apps, know what the problem is that you want to solve, but you can't solve it without help from someone else, namely the authors of web browsers. With help from the web browser, this problem would be at least partly solvable. There is no reason why this problem is more impossible to solve for apps written in Javascript and executed by a web browser than for apps written in a language like C# and executed by an operating system like Windows. Perhaps the next step is to explain concisely to the makers of web browsers what we want. Ben Laurie has published a related idea: http://www.links.org/?p=1262 Regards, Zooko https://tahoe-lafs.org - Free, Open Source Secure Decentralized Storage https://LeastAuthority.com - Commercial Ciphertext Storage Service -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
