[erlang-questions] Two beautiful programs - or web programming made easy

Jesper Louis Andersen jesper.louis.andersen@REDACTED
Tue Feb 15 13:25:15 CET 2011


2011/2/15 Joe Armstrong <erlang@REDACTED>:

> It seems to me you can either secure the pipe (ssh) or secure the things in
> the
> pipe (ie the content).

The right thing to do is obviously to protect the content. The pipe is
not what you execute, the content is. So there is no security in
protecting the content. Specifically we want integrity of the content
more than a confidentiality: We want a seal-of-approval on the code we
run so we are sure where it originates from. It is a question of trust
- either that the originator is the sole owner of the signature (in a
public/secret key cryptosystem), or that the Least Precondition
verifier locally is correct (in the case of proof-carrying-code).

> I'd prefer to secure the content since I can do this with my own code - rsa
> in erlang
> boils down to A^C mod N with Erlang and bignums this is trivial - I trust my
> own code.

Beware the side-channel attack. Crypto done right, mathematically, is
not secure anymore. You need certain functions to take the same amount
of time always, or you can gleam off bits from information theoretic
attacks.

> Now suppose I've gotten as far as decrypting and authenticating the
> encrypted blog
> of code, dare I *run* the code - this boils down to trust and is a
> non-technical issue.

There is another important issue: you have the seal-of-approval on the
code, but you need to trust that the code does not, by intention or
mistake, pull in other code to execute. Javascript is bad because
there is no security model on it at all and you can't trust all code
by transitive closure. Most modern browser attacks revolve around this
idea in some way: inject javascript into a place and get it executed
by the browser by "mistake". It is unfortunate that
proof-carrying-code (see
http://en.wikipedia.org/wiki/Proof-carrying_code ) did not take off
more.

On the other hand: The situation currently is bad, but it will
probably not get worse with JS+signatures.

As an aside, I note that Alan Kay once said that the web should have
been an executable program from the start, rather than HTML. That way,
you could have built an HTML renderer if you so desired, but you could
also have done different things at the same time. PDF rendering would
have been easy, Flash would have been trivial and so on. I don't think
this idea is so far off the vision.


-- 
J.


More information about the erlang-questions mailing list