undefined | Better HN

0 pointsryan-c10y ago0 comments

This is to prevent files on a 3rd party CDN from being loaded if they've been replaced with malicious ones.

0 comments

6 comments · 2 top-level

iancarroll10y ago· 2 in thread

Ah, I see. I misunderstood. Though signatures seem to be just adding another part in the deployment process where you update the files themselves as well as the pages they're loaded from.

Is there any security gain from doing that?

detaro10y ago

If you include content produced by a third party (e.g. JQuery) off a CDN, right now you can use the hash-based SRI mechanism to make sure that only the exact file you specified can be included, otherwise the CDN could suddenly send any compromised code. The file can't be changed, because otherwise the hash wouldn't match.

With a signature, you could specify "include cdn.com/jquery-X if signed by the JQuery project", so JQuery could publish security updates and those could be rolled out to the CDNs and included in all pages automatically, without the siteowners having to make changes (if the security fix doesn't break compatibility).

For your own content, you'd mostly gain the convenience of not having to update the hashes on all the pages including the resource.

infinity010y ago

This is more convenient but less secure than a straight-up hash. If an attacker compromises the JQuery signing key, they could still serve malicious files. With a hash, the authenticity is ONLY dependant on the TLS connection to the main website, e.g. github.

TL;DR:

* hash: need to compromise the main website, that supplies (and authenticates) the hash

* signature by CDN: attacker can either compromise the main website OR <del>the third party CDN</del> <ins>author/signer of the third-party resource</ins>

(edit: correction as pointed out by response)

2 more replies

jsprogrammer10y ago· 2 in thread

A content hash is good enough. The trusted hash is sent over an already trusted channel (TLS).

Thanks for the downmods.

detaro10y ago

The point is that with a signature you wouldn't have to change all the pages including the resource, but just sign the updated resource with the same key.

jsprogrammer10y ago

It's just a semantic question. Does a URL point to a specific version of a resource or does it point to whatever the server considers to be the resource at a given time.

It would seem more desirable to be able to point to a specific version, instead of allowing a third party to be able to insert implicitly trusted code without acknowledgement.

2 more replies

j / k navigate · click thread line to collapse

0 comments

6 comments · 2 top-level

iancarroll10y ago· 2 in thread

Ah, I see. I misunderstood. Though signatures seem to be just adding another part in the deployment process where you update the files themselves as well as the pages they're loaded from.

Is there any security gain from doing that?

detaro10y ago

For your own content, you'd mostly gain the convenience of not having to update the hashes on all the pages including the resource.

infinity010y ago

TL;DR:

* hash: need to compromise the main website, that supplies (and authenticates) the hash

* signature by CDN: attacker can either compromise the main website OR <del>the third party CDN</del> <ins>author/signer of the third-party resource</ins>

(edit: correction as pointed out by response)

2 more replies

jsprogrammer10y ago· 2 in thread

A content hash is good enough. The trusted hash is sent over an already trusted channel (TLS).

Thanks for the downmods.

detaro10y ago

The point is that with a signature you wouldn't have to change all the pages including the resource, but just sign the updated resource with the same key.

jsprogrammer10y ago

It's just a semantic question. Does a URL point to a specific version of a resource or does it point to whatever the server considers to be the resource at a given time.

It would seem more desirable to be able to point to a specific version, instead of allowing a third party to be able to insert implicitly trusted code without acknowledgement.

2 more replies

j / k navigate · click thread line to collapse