On Fri, Oct 02, 2015 at 01:04:58AM +1000, Alfie John wrote:
On Fri, Oct 2, 2015, at 12:43 AM, Georgi Guninski wrote:
On Thu, Oct 01, 2015 at 11:48:33PM +1000, Alfie John wrote:
Front page of HN:
https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
Lol, I don't trust neither mozilla nor google (in practice owner of the former).
Before trying to secure ``mobile code'', they should _try_ to secure the platform (maybe they call it kernel) on which malware runs.
Ever bothered to check the rates at which mozilla updates occur?
Ever read a mozilla security advisory? (usually it essentially reads "multiple parties disclosed multiple vulnerabilities, check HIDDEN BUGZILLA/PRIVATE-CVE)
If that's the case, how do you Internet?
Using as little javascript as possible, not visiting JS sites (this doesn't mean I am not pwned). btw, the link you gave made laugh, from it: <script src="https://code.jquery.com/jquery-2.1.4.min.js" integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" crossorigin="anonymous"></script> Observe that they are loading it from HTTPS and after that they verify, lol. Is this public admission that HTTPS is broken beyond repair? As someone already pointed out, ``mobile code'' is tricky stuff. If the quoted script had |eval(stuff)|, the signature is pointless, since the code is dynamic.