Interesting question from the discussion around my latest article: why won’t we trust websites with access that we grant to any locally install application? And I think that this is really about how we manage to trust local applications.

Given the amount of damage malicious code in an application can do (and occasionally does), this is in fact surprising. Do people really trust e.g. Google that much? Probably not. But outright malicious code in Chrome is likely to be discovered, which makes it too risky.

At least that’s the hope. I mean, there are lots of security researchers, there is antivirus software. A custom Chrome build distributed to only few people will hopefully stick out and be discovered. And Google doesn’t want the resulting backlash.

I’ve seen a number of trust models for the web come and go, granting application-like privileges to web pages was always too risky. And I think that’s because misuse of these privileges is just so unlikely to be detected. On the web, different code for everyone is the rule.


Hard to believe but in Mozilla browser (pre-Firefox) a webpage could request UniversalXPConnect privilege. If the user accepted, it got full access to their system. How was accepting this request ever a good idea, even with trusted websites?

· · Web · 0 · 0 · 1
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.