[krageon]

With attack vectors it's also about ease of exploitation. In this case, the ease is high. If the person you are responding to compiles their own browser, the bar to put an exploit in there is already much higher. Yes, there are still attack vectors. And there always will be. The point is they're harder to access.

[Benjamin_Dobell]

Your initial comment was pretty adamant that Mozilla had really messed up by delivering the code as JS. However, what is the attack vector that they've introduced by taking this approach?

It sounds to me like you're referring to a man-in-the-middle style attack. However, to be best of everyone's current knowledge, that's simply not possible with SSL.

It's only possible if the attack vector includes having already compromised the user's computer and installed a root certificate. At which point this is all pretty moot.

[krageon]

I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

[Benjamin_Dobell]

> I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

My apologies, that's what I get for reading on my mobile.

> In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

You raise a reasonable point. It is indeed something everyone should be aware of. It's mostly a matter of trust, not security.

However, the same is equally true of someone you trust changing the binaries, source and/or hashes that are delivered to you; whether you got those from Mozilla, or somewhere else.

For example, the relatively recent Handbrake release compromise - https://news.ycombinator.com/item?id=14281808

[mercutio2]

“That’s simply not possible with SSL”

I agree that we don’t currently know of easy attacks on SSL if you’re pinning certs (which it sounds like Mozilla does here). But all you need is a rogue CA to MITM SSL if you’re not pinning certs, so I don’t think “simply not possible” is an accurate description of SSL as generally used by the broad web-dev community.