On Wed, Mar 14, 2012 at 2:35 PM, Lucas Adamski <ladam...@mozilla.com> wrote: > My understanding is that there will be multiple app stores. But code signing > has another benefit: reducing systemic risk. > > This assume code signing and sane key management, but lets say there's a very > popular app with significant privileges. > To compromise a large number of people, you'd need to: > a) compromise the site hosting the app > b) compromise the key signing the app (assuming you require app updates to be > signed with the same key) > c) compromise or trigger the update mechanism for the app > d) wait for updates to trickle out > > This is a tedious process that slows down exploitation, and that's no fun. > > If app authentication relies only on SSL, then you just need to pop a web > server (which isn't hard, really). Everyone > using the app gets owned simultaneously.
If we rely on only SSL we still get a), c) and d) AFAICT. Signing only adds b). The other question is, how do you deliver the keys? It would have to be through some mechanism other than through the web server to add any level of security. / Jonas _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
