Viewing a single comment thread. View all comments

another_i wrote

Yeah , good question. I'm thinking like returning a sha1 hash salted by the client on the running server processes bytecode. But..... I don't know how the client could prove that is the hash of the server process.

4

celebratedrecluse wrote

Perhaps there could be an encryption key which uses the code data as a cipher, which signs tokens and then can be verified by a user or the browser via an extension, etc. The key would have to be maintained by the instance developers, and people would have to trust the code developers. This is a point of failure, to be sure, but it also minimizes the amount of people who need to be trusted from the server operator and the developer of the code, to just the developers of the code. So, perhaps this is in fact implementable, and could be a useful approach? Or perhaps I have made an oversight.

3