On Thu, 22 Mar 2012 22:47:47 +1100
ptheriault wrote:
> I get your point about adding extra attack surface, but my thought was SSL
> has a fairly narrow and heavily tested attack surface compared to whatever
> signed/secured format is used. (i.e. an attacker could send unsigned
> malformed pages/packages to attack B2G.)
nitpicking really but worth bearing in mind untill the spec is
finalised.
>> 1. I can't think of any reason not to deploy privileged applications over
>> SSL, and the more strict the better (HSTS, limited certs, additional checks
>> etc)
^^^
sed "s/I can't think of any reason not to deploy/It may be a good idea
to deploy/"
>
> And actually the phones SSL stack will be exposed to attack every time the
> browser app visits a website, so this isn't adding any attack surface.
It is server side and the key handling procedures haven't been defined
yet, but yeah, chances are the server will use SSL somewhere. Might it
even be a shared host or are special servers dictated?
I haven't actually looked at any B2G info yet except this list. I
guessed what it was in the first place because I knew mozilla were
planning a html5 phone os. I'll try to keep stum now especially unless
I find time when bored or something to see where the projects gotten to,
which isn't that likely.
Wishing the project well.
p.s. With android code merged into the 3.3 kernel, I'm hoping but likely
with misplaced blind faith that Android is heading closer to linux
desktop level security.
It would certainly be good if the Android superficial java app candy
that makes it such a success was optional.
Kc
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
