Conversation
Notices
-
A good !security browser plugin would be caching sha256/512 of remote javascript files and do a trust-on-first-use. If updated it would require manual activation.
- Claes Wallin (韋嘉誠) and @mcscx@quitter.se like this.
- Claes Wallin (韋嘉誠) repeated this.
-
When was the last time you didn't apply an update?
-
It's more about being aware that things change. And combined with, say, comparing version numbers (jquery version x.y.z shouldn't change hash, and x.y.z++ would be trusted on first use).
-
That means googleapis.com or whatever can't silently deliver me different files if they get hacked or MITM'ed (and I assume I trust the URLs linked on the site I visit via NoScript interaction).
-
In this case I'm not the one applying updates. All the CDN based script embeddings are made with version numbers in the URL. The attack vector is an evil server thah will serve different files depending on refererer/client/randomness".
-
@zoowar Idea is:
1. I visit random .se website that doesn't think they need a CDN. They embed a third party link to googlewhatever.com for jquery-v1.3.37.js
2. googlewhatever.com is backdoored by whateveragency or malicious third party hacker that manipulated their way to a Verisign *.com certificate and can MITM me at the Tor exit I use.
3. They only do it very rarely, once in a thousand requests. Which changes the javascript and I notice that "hey, this is the same version as before - but updated? that can't be right!".
Go to any hipster web 2.0 website and they'll link crap to random third party sites. Anything from my local municipality to Wikimedia SE's projects and anything else that doesn't have a fulltime staff to run a distributed CDN but buy into the idea that the web should load in milliseconds instead of centiseconds.
-
@zoowar That is, most sites I visit which incorporate third party .js links will likely not be targeted by malicious hackers - but instead they can target the googleapis.com domain etc. and deliver a payload through there.
-
@mmn @zoowar the problem I see with this reasoning is that google (googlewhatever.com ?) _is_ a CDN - for a large number of widely-used libraries, including jQuery. And you don't need 'staf' to'run' a CDN, you just use one (paid-for or free)
-
@zoowar It'd be fun to implement something that, with a plugin that tracks content hash sums, can interpret and prioritise hashsrc="sha256:1234...cdef"
-
@zoowar because I didn't know about it, thanks!