From 8a8635354f1e6c8968c915d29053bd486e4a5f5f Mon Sep 17 00:00:00 2001 From: James Halliday Date: Fri, 31 Oct 2014 17:33:00 -0700 Subject: [PATCH] reboot the web --- proposed/reboot_the_web.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 proposed/reboot_the_web.md diff --git a/proposed/reboot_the_web.md b/proposed/reboot_the_web.md new file mode 100644 index 0000000..3cda668 --- /dev/null +++ b/proposed/reboot_the_web.md @@ -0,0 +1,24 @@ +#infos + +auth-name : substack +tag : browser, crypto, web + +advance costs : N +need room : Y +Location : Oakland (but I will be in Paris) +Can host ppl : N + + +# REBOOT THE WEB + +Browsers have been quietly and methodically adding native crypto primitives, +but one gaping attack vector remains: every time you load a page, you load code +directly from the server. + +The person running that server can be coerced, hacked, or forced by sealed court +order to change that javascript payload at any time. What we need to make web +crypto viable is a bootloader for the web. Luckily, this is now possible by +abusing the new application cache API to brick a website except for a +whitelisted update feed. Now the user can finally be in control of which updates +they get from web pages, making browser crypto much more secure while preserving +all the usability benefits of the web.