Hacker News new | ask | show | jobs
by explorigin 3032 days ago
Please stop propagating this article. Its positions are out of date.

FTA: WHAT'S HARD ABOUT DEPLOYING JAVASCRIPT OVER SSL/TLS?

You can't simply send a single Javascript file over SSL/TLS. You have to send all the page contentover SSL/TLS. Otherwise, attackers will hijack the crypto code using the least-secure connection that builds the page.

---- Seriously? Serving entire websites over https is the norm these days. It appears as though the article has been added to but not updated. Current advocates should re-read the article.
1 comments
peterwwillis 3032 days ago
There's like 30 different points in this article.
link
explorigin 3032 days ago
Yes, I didn't really want to go through each point in the article. But here's a few things to consider as you read it:

    - The article reads like those arguments we have in our heads where we always win.
    - The article is from 2011
    - The article says "come back in 10 years when people aren't running browsers from 2008" 
      (we're not to 2021 yet but the majority of browsers are evergreen now)
    - We have SubtleCrypto now
    - We have SubResourceIntegrity
    - We have CORS and CSP
The article has some valid points, but I posit that it is more harmful than helpful. We need an Mozilla-style "arewesecureyet" website instead.
link
peterwwillis 3032 days ago
The article hammers home that you should not trust client-side javascript crypto. And you shouldn't. Because you can't. Because 30 points in that article. If we spent all day on this forum, we could go back and forth over every single one, re-establishing the above held truth.

It's like a Cloud OS. If my whole OS is running in the cloud, you can claim it's secure, "because crypto". But it's still actually running on a random pizza box in one of Google's datacenters. There's like 10 layers of trust and assurance needed between them and me.

If my OS is running on my laptop, I only need to trust ME, and maybe Intel's dodgy engineers, and whoever wrote the rest of what's running on my laptop. The control over the security of the system stays in my hands.

That is the basic trust problem, and on top of that are all the other technical problems that make client-side javascript crypto untrustworthy. Even if you solved all the other technical problems, I still don't trust what you are delivering to me more than I trust code that lives on my machine, designed by cryptographers to the highest standards of consumer security.

link