CloudFlare Keyless SSL WAS Re: Snowden on the Twitters
Georgi Guninski
guninski at guninski.com
Thu Oct 1 08:14:33 PDT 2015
On Fri, Oct 02, 2015 at 01:04:58AM +1000, Alfie John wrote:
> On Fri, Oct 2, 2015, at 12:43 AM, Georgi Guninski wrote:
> > On Thu, Oct 01, 2015 at 11:48:33PM +1000, Alfie John wrote:
> > > Front page of HN:
> > >
> > > https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
> > >
> >
> > Lol, I don't trust neither mozilla nor google (in practice owner of the
> > former).
> >
> > Before trying to secure ``mobile code'', they should _try_ to secure the
> > platform (maybe they call it kernel) on which malware runs.
> >
> > Ever bothered to check the rates at which mozilla updates occur?
> >
> > Ever read a mozilla security advisory?
> > (usually it essentially reads "multiple parties disclosed multiple
> > vulnerabilities, check HIDDEN BUGZILLA/PRIVATE-CVE)
>
> If that's the case, how do you Internet?
>
Using as little javascript as possible, not visiting JS sites (this
doesn't mean I am not pwned).
btw, the link you gave made laugh, from it:
<script src="https://code.jquery.com/jquery-2.1.4.min.js"
integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC"
crossorigin="anonymous"></script>
Observe that they are loading it from HTTPS and after that they verify,
lol. Is this public admission that HTTPS is broken beyond repair?
As someone already pointed out, ``mobile code'' is tricky stuff.
If the quoted script had |eval(stuff)|, the signature is pointless,
since the code is dynamic.
More information about the cypherpunks
mailing list