[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Programming language for anonymity network



Redefining anything in js is visible as "your nose on your face", as well as importing silently anything, whatever obfuscation/minification means are used it's trivial to check.

But here you do not have necessarly to import things and/or libraries, you can package everything with your app so you control your package and nothing can come from the outside or be injected.

Node is not an enormous platform with tons of dependencies, easy to check.

My opinion...

You should bring node to FF OS :-)

Regards

Aymeric

Le 18/04/2014 11:34, David Rajchenbach-Teller a écrit :
On 18/04/14 11:30, Aymeric Vitte wrote:
[...]
- nodejs is easy to audit (assuming that modules like V8 can be
audited), you can override node's functions/objects if you like
[...]

Actually, in my mind, that's one point against safety of Node.js
applications. Redefining, say, Array.prototype.forEach is a good way to
introduce hard-to-track bugs. Doubly so if this is done silently by
importing a package (almost sure the latter is possible, but I haven't
actually checked).

Cheers,
  David




--
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk