Hacker News new | ask | show | jobs
by Benjamin_Dobell 2770 days ago
Your initial comment was pretty adamant that Mozilla had really messed up by delivering the code as JS. However, what is the attack vector that they've introduced by taking this approach?

It sounds to me like you're referring to a man-in-the-middle style attack. However, to be best of everyone's current knowledge, that's simply not possible with SSL.

It's only possible if the attack vector includes having already compromised the user's computer and installed a root certificate. At which point this is all pretty moot.
2 comments
krageon 2770 days ago
I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

link
Benjamin_Dobell 2770 days ago
> I think you have me confused with someone else. I have made no points except the ones in the post you are responding to.

My apologies, that's what I get for reading on my mobile.

> In this case it looks like you're missing the fact that you can change the JS on the server with a high amount of ease and a low discoverability (it can be changed just for you and it won't show anywhere else).

You raise a reasonable point. It is indeed something everyone should be aware of. It's mostly a matter of trust, not security.

However, the same is equally true of someone you trust changing the binaries, source and/or hashes that are delivered to you; whether you got those from Mozilla, or somewhere else.

For example, the relatively recent Handbrake release compromise - https://news.ycombinator.com/item?id=14281808

link
mercutio2 2770 days ago
“That’s simply not possible with SSL”

I agree that we don’t currently know of easy attacks on SSL if you’re pinning certs (which it sounds like Mozilla does here). But all you need is a rogue CA to MITM SSL if you’re not pinning certs, so I don’t think “simply not possible” is an accurate description of SSL as generally used by the broad web-dev community.

link