

Ask HN: State of the art for web apps without trusting servers? - schoen

A current HN front page item has once again brought up the old issue about how Javascript-implemented crypto in web apps could be modified by the web server operator at any time.<p>https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8659456<p>That is, even if the server operator does a good job implementing the web app and the publicly-audited open source code prevents the server operator from seeing plaintext, the user doesn&#x27;t know that the version served <i>just now</i> is the safe, audited version, as opposed to a modified, backdoored version.<p>So, if the server gets compromised, or the server operator decides to spy on a particular user, or a government manages to order the operator to change the code for a particular user<p>http:&#x2F;&#x2F;blogs.wsj.com&#x2F;digits&#x2F;2014&#x2F;11&#x2F;25&#x2F;case-suggests-how-government-may-get-around-phone-encryption&#x2F;<p>then the user is out of luck.  Of course this is a fairly well-known concern (highlighted over the years by tptacek and others) and I&#x27;ve heard of three or four projects to try to address it.  They have in common the concept of creating some mechanism for browsers to verify, pin, and&#x2F;or require independent certification of the contents when rendering a page containg a web app, so that the page just won&#x27;t load if its contents have been changed in any way.  (That also means you have to verify that the code can never dynamically load or eval new additional code, which might be enforced by auditors rather than by the browser.)<p>Who is working on proposals for such mechanisms, which ones are making progress, and how far along are they?
======
LarryMade2
I see it as if you don't have all the hardware in-office and in-house ALL the
software and have the clients go to your place to do whatever it is they do,
there is no 100% guarantee you will get full security. And even then you have
to trust the clients aren’t a risk in themselves...

If you want to be full-blown paranoid, you have to trust a) the client's pc
manufacturer (including USB connected devices) b) their OS manufacturer c)
their browser manufacturer d) all apps that the client runs

Then they hook their computer to the internet...

