Security and Javascript
Timo Juhani Lindfors
timo.lindfors at iki.fi
Fri Jun 28 21:27:05 UTC 2013
Werner Koch <wk at gnupg.org> writes:
> [ Then please set an MFT header and my MUA will comply. That discussion
> is > 15 years old and we have since then a working solution.]
[ Sorry but I have no idea how to do that. However, I added "reply to
list" support to gnus a few years ago, it might be useful even if you
don't want to use it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627516 ]
> It is a blacklist: For example: The code loaded from external source may
> not open a file on user's host. A whitelist would cleary state what the
> code is allowed to do. But then it wouldn't be a useful language
> anymore.
My system has always had a webcam but javascript only got to access it
when chromium implemented support for it. You might call this a
blacklist but at least to me it's looks like a whitelist. Wikipedia is
not a good reference but http://en.wikipedia.org/wiki/JavaScript does
talk about "granting privileges" which also would imply whitelist and
not blacklist :/
>> See the point about non-free plugins :(
>
> That usually makes the audit easy: We can't audit it thus it shall not
> be used.
Unfortunately the reality is that it does get used.
> Here in the sense that it is a well defined set of code which comes with
> a signature and can be tracked back to an audit or a trusted source. it
> can't: MitM attack on PKIX are commonplace. Does anyone really believe
> that the NSA has no means to ask another secret service to have one of
> their national CAs issue a malicious certificate? Come on: That system
> has been corrupted by the PKI business ever since. Nobody can expect
> that they ever withstood requests from the slouch hats.
No comment ;-)
More information about the Discussion
mailing list