Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I assume ultimately something like signed releases will become a thing on the web, with the signing process being separate from the other processes so that a hack has to compromise two entirely different systems, not just the build pipeline, to allow new JS to run. Currently the only thing that is signed is the SSL certificate which of course guarantees precisely nothing about the actual website content served from the server other than that someone didn't tamper with it after it was sent.


Who hosts the signature? If you've hacked someones server enough to push out new JS what's to stop you from signing it?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: