Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Very interesting, thank you!

Looking at the attack vector (https://blog.stalkr.net/2019/11/the-gomium-browser-google-ct...), this is a pretty tightly constrained circumstance where you are permitting an attacker to execute unknown Golang code within the context of your process. (perhaps like the Go Playground, if that's not starting a new process for each user.)

I don't personally think that's really that applicable to regular golang users, unless they're trying to sandbox Golang code somehow within the language itself. (And if you are allowing untrusted code, then it's basically game over anyway).

But it's still interesting and I added a note to my comment above about your point.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: