Trustworthy JavaScript for the Open Web – Mozilla Hacks - the Web developer blog

The open web is a critical platform for applications that handle highly sensitive data, from private communications to financial transactions and medical records. Traditionally, servers are trusted to deliver the appropriate code and resources for their web applications to browsers, who then provide a secure and isolated environment for their execution. In some circumstances, this trust model falls short.

Consider a browser-based messaging application, like Signal or WhatsApp, which uses end-to-end encryption. The browser depends on the server to provide a trustworthy javascript implementation of the app; which ensures the user’s messages and cryptographic keys are suitably protected. A malicious or compromised server could selectively serve modified code to some users, undermining their security with little risk of detection. This challenges the basic premise of end-to-end encryption: that a misbehaving server should not be able to compromise user security.

Towards Verifiable Security on the Web

For web applications to be trustworthy in the presence of malicious servers, two properties are essential:

Integrity: The code executed by the user matches what the developer committed to in a manifest.

Trustworthy JavaScript for the Open Web – Mozilla Hacks - the Web developer blog

Other newsrooms on this story

Related reading

Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 –…

In 1995, a Netscape employee wrote a hack in 10 days that now runs the Internet

Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox

Mozilla says 271 vulnerabilities found by Mythos have "almost no false…

Maximum-severity vulnerability threatens 6% of all websites