Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Downloaded desktop software is generally written in a compiled language like C, and for example can't easily be XSSed to inject JavaScript.


Yeah but C has its own problems--buffer overflows and the like. Just because it doesn't have exactly CSS doesn't mean it lacks similar problems.


We're talking about "problems" in the context of "things that make cryptography hard". The other security flaws of C/C++ are orthogonal to this issue.

This isn't a value judgement on Javascript. I like Javascript. The hard fact of the matter is, not every good programming environment is going to be suitable for cryptography.


Perhaps, but almost all buffer overflow, remote code execution bugs are very similar to XSS attacks--feed the program something it doesn't expect along with some junk for it to execute. The mechanism is different but the concept it the same.


No, the concept is not the same. C programs aren't designed to execute code from third parties.


If you think C programs aren't vulnerable to XSS-like attacks, you need to take a security course.


In the context he's talking about, C programs aren't vulnerable to "XSS-like attacks"; C programs rarely deal with content-controlled code.


Buffer overflows.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: