Hi Nadim, I read your article for the second time. I'm totally with you. Javascript is code, and therefore it is intrinsically neither more nor less secure than compiled code running on the OS. Sure, one needs to trust that the browser isn't doing funny things, but we need the same kind of trust when we run compiled code on an OS (usually developed by people who sit in the next cubicle from the browser people). I don't see why an OS deserves implicit trust and a browser doesn't.
Unlike compiled code, javascript can be read by humans. Most people won't bother, but there are a few who will, and they'll report their findings on this mail list if they find something amiss. I'm experiencing that right now with my own PassLok web app. If I had compiled it, people would have to trust my commercial jabber, as they seem to do for server-side applications, but they wouldn't really know how good the app was until after extensive testing. Right now I'm wrestling with the issue of code authentication. The page is static and gets delivered by https, but what if someone manages to hack the server? My current solution is to publish the SHA256 of the source in the help page accompanying the code page. For added security, I post a youtube video of yours truly reading that hash (I'm trying to get Justin Bieber to do it for me, but no luck so far ;-). Problems so far: 1. Most people don't know how to take the SHA256 of a page that comes to their browser. If they succeed at viewing the source, there is a high chance that they'll save it to file with the wrong encoding, so the hash verification will fail. 2. Even if my face (or Justin Bieber's face) is familiar to them, they know a video can be faked. I'm trying to make it harder by playing background music so it's not easy to chop up the video (with sound) and rearrange it so they hear me reading a counterfeit hash, but certainly there are experts out there who can get around that. Now, nobody seems to be requiring this level of assurance from compiled code. You post a hash on your own website, and most people trust it. You add some CA's signature, and apparently you can go to the bank with that. Maybe I should just append to my code a comment containing someone's signature and forget about the rest. On Tue, Aug 13, 2013 at 2:09 AM, Nadim Kobeissi <[email protected]> wrote: > Quickly adding my blog post on the matter to this thread. Would love to > hear discussion regarding it: > > http://log.nadim.cc/?p=33 > > NK > > On 2013-08-13, at 1:58 AM, Tony Arcieri <[email protected]> wrote: > > > On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie <[email protected]> > wrote: > > I'm sorry but aren't we spending a lot of time conflating code > > quality, secure coding practices, software distribution, .. with > > ~JavaScript in a browser~? > > > > I think the title of the thread has a lot to do with that. Fixed! ;) > > > > -- > > Tony Arcieri > > -- > > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > > > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > -- Francisco Ruiz Associate Professor MMAE department Illinois Institute of Technology PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok get the PassLok privacy app at: http://passlok.com
-- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
