Hacker News new | ask | show | jobs
by lucian1900 5167 days ago
The website or any of the domains it includes JS from can at any time inject some JS into your page, which could maybe replace AES with Base64, or anything else it wished to do.

Native crypto clients don't arbitrarily download code from several domains every time you turn on your app.
2 comments
lucian1900 5167 days ago
And I forgot to add, there's no way you can protect against other side-channel attacks like timing attacks. JS as it is today makes it impossible.
link
wwwtyro 5164 days ago
What keeps JS from protecting against timing attacks?

Even so, I would argue that it's fair to say that this pushes it along a continuum towards less secure, not that it is "broken".

link
wwwtyro 5164 days ago
Yeah, but you have the code. You could see if they were doing that.
link