Submitted by Giulio Cesare on 20 May, 2008 - 14:18.
The short answer is YES; we could change the JS in order to collect all our users’ username and passphrase.
What we are hoping is going to happen, is that as soon as the checksum changes, someone will compare the current version of the application with the previous one (we have all the code of all the different versions of the application readily downloadable) and check that the changed code will do no harm to the security of the whole system.
Keeping all the version always available also allow anybody to check if in the past we have tried to do scary things.
We perfectly understand that not everybody will be able to perform an accurate assessment of the code; but it will be enough for just a single person to find a problem, for the whole project to be immediately dismantled.
I don’t know if this is a sound enough answer to your question, but we have no other definitive answer right now.
Re: Am I right, that if you want
The short answer is YES; we could change the JS in order to collect all our users’ username and passphrase.
What we are hoping is going to happen, is that as soon as the checksum changes, someone will compare the current version of the application with the previous one (we have all the code of all the different versions of the application readily downloadable) and check that the changed code will do no harm to the security of the whole system.
Keeping all the version always available also allow anybody to check if in the past we have tried to do scary things.
We perfectly understand that not everybody will be able to perform an accurate assessment of the code; but it will be enough for just a single person to find a problem, for the whole project to be immediately dismantled.
I don’t know if this is a sound enough answer to your question, but we have no other definitive answer right now.