undefined | Better HN

0 pointsrainmaking11y ago0 comments

The first statement is untrue: Stallman is also advocating measures to replace obfuscated JavaScript web apps with free versions:

"Browser users also need a convenient facility to specify JavaScript code to use instead of the JavaScript in a certain page. (The specified code might be total replacement, or a modified version of the free JavaScript program in that page.) Greasemonkey comes close to being able to do this, but not quite, since it doesn't guarantee to modify the JavaScript code in a page before that program starts to execute."

As for the second claim, actually implementing as an API does indeed help, because most of the code is then running in the browser and can be audited.

As for the third, the are no known ways to implement secure enclaves and remote attestation, that is what the questioner is asking. If you know of any, do share them.

0 comments

2 comments · 1 top-level

MichaelGG11y ago· 1 in thread

OK, but unminimized JS still has no bearing on trusted computing.

What about Intel TXT (maybe?) and the upcoming SGX? Although I've not seen details on how the key system works with SGX. But assuming each processor has a unique ID/public key signed by Intel, and assuming we trust Intel and assume it's not profitable/plausible for a darknet to undo Intel's hardware protection, SGX seems to be exactly what the OP is asking for.

rainmakingOP11y ago

Yes it does; the current state of the art of trusted computing is indeed "run open source on your own hardware", and unminifed JS does that. It's only, as of now, impractical, because the browser does not help with verification.

I was unaware of Intel SGX; sounds okay in principle, but I would consider the jury out until it's released and a the security community has weighed in.

j / k navigate · click thread line to collapse