[dojo-contributors] "core dojo", packaging, and the build system

Sandro Magi smagi at naasking.homeip.net
Wed Apr 5 20:08:42 EDT 2006


Jesse Kuhnert wrote:
> Hmmm...Sounds like something we'll not agree on...But I personally think
> the dojo foundation could do a sufficient job screening trusted entities..

Do you trust Certificate Authorities (CA)? It's their business to
provide legitimate entities with signed certificates that all browser
end users are supposed to implicitly trust. The situation is very
similar to what you are proposing.

And yet, a CA recently provided a phisher with a cert for the Bank of
America
(http://www.eros-os.org/pipermail/cap-talk/2006-February/004908.html).

Lesson of the story: third party screening processes are fallible. As
benign as the Dojo foundation may be, you should be very careful who you
"trust" with your, and your user's information.

But even assuming all of the approved hosts are *perfectly benign*, a
malicious party need only subvert *one* of these hosts and inject his
own script in place of the standard one to steal tons of data, cookies,
etc. So you still need a client-side code verification scheme of some
sort to prevent this sort of attack.

The secure hashed code scheme I suggested is the most straightforward
method I could think of.

> I also don't think javascript in someones browser is going to be able to
> do the sort of advanced actions that a piece of hardware like a
> router/dns server can do. Like guarantee bandwidth limits, check QOS
> constraints to make sure one host in the chain isn't operating too
> slowly..etc...That's just me though :)

Of course not, but we're talking about a network of servers distributed
around the *world* for potentially millions of clients (should dojo
become as popular as I'm sure we're all hoping). There's no hardware
load-balancer that can operate on that scale; all centralized systems
fail in the extreme in massively distributed scenarios.

Assuming the selection algorithm is implemented correctly, distributing
the selection to each client makes host requests sufficiently random
that the amortized load should be relatively well-balanced. Extra bonus:
less network traffic.

In any case, I don't care much about the load-balancing idea as it was
just a thought, but the security question is absolutely critical.

Sandro



More information about the dojo-contributors mailing list