undefined | Better HN

0 pointsCGamesPlay5y ago0 comments

Why does Archive.org get a pass on this one? Signed responses mean that there's a very clear way to leverage the browser's domain blacklisting technology to stop the spread of malware, which isn't presently possible for any content mirrors on the web.

0 comments

4 comments · 1 top-level

8organicbits5y ago· 3 in thread

Archive.org makes it clear you are on archive.org. The URL shows archive.org. The page content shows archive.org at the top. [1]

Google AMP doesn't show Google on the page. Google is pushing for the URL to show the origin site's URL instead of Google[2].

If an attacker poisons a nytimes.com article served by Google AMP, how does a browser's domain blacklisting help? Block google? Block nytimes.com? Neither makes sense.

1. https://web.archive.org/web/20050401090916/http://www.google...

2. https://9to5google.com/2019/04/18/apple-mozilla-google-amp-s...

CGamesPlayOP5y ago

I believe you might be misunderstanding the idea behind signed exchanges. To be clear, Signed Exchanges are how AMP should have worked all along.

example.com generates a content bundle and signs it. Google.com downloads the bundle and decides to mirror it from their domain. Your browser downloads the bundle from google.com, and verifies that the signature comes from example.com. Your browser is now confident that the content did originate from example.com, and so can freely say that the "canonical URL" for the content is example.com.

Malicious.org does the same thing, and the browser spots that malicious.org is blocked. At this point it doesn't matter if the content came from google.com, because the browser knows that the content is signed by malicious.org and so it originated from there.

Hope this helps clarify. Obviously blacklisting isn't a great security mechanism; my point is just that signed exchanges don't really open any NEW vectors for attack.

remexre5y ago

I think the concern was more that if I can XSS example.com, Google is now serving that for some period of time after example.com's administrators notice + fix this. (In the absence of a mechanism to force AMP to immediately decache the affected page(s), that is.)

1 more reply

8organicbits5y ago

I'm following.

Imagine that example.com builds the bundle by pulling data from a database. If an attacker can find a way to store malicious content in that database (stored XSS) and that content ends up in a signed bundle that Google AMP serves (similar to cache poisoning) then users will see malicious content. When the stored XSS is removed from the database, Google AMP may continue to serve the malicous signed bundle. So an extra step may be needed to clear the malicious content from Google AMP.

How exactly the attacker influences the bundle is going to be implementation dependent, so some sites may be safe while others are exploitable.

1 more reply

j / k navigate · click thread line to collapse

0 comments

4 comments · 1 top-level

8organicbits5y ago· 3 in thread

Archive.org makes it clear you are on archive.org. The URL shows archive.org. The page content shows archive.org at the top. [1]

Google AMP doesn't show Google on the page. Google is pushing for the URL to show the origin site's URL instead of Google[2].

If an attacker poisons a nytimes.com article served by Google AMP, how does a browser's domain blacklisting help? Block google? Block nytimes.com? Neither makes sense.

1. https://web.archive.org/web/20050401090916/http://www.google...

2. https://9to5google.com/2019/04/18/apple-mozilla-google-amp-s...

CGamesPlayOP5y ago

I believe you might be misunderstanding the idea behind signed exchanges. To be clear, Signed Exchanges are how AMP should have worked all along.

Hope this helps clarify. Obviously blacklisting isn't a great security mechanism; my point is just that signed exchanges don't really open any NEW vectors for attack.

remexre5y ago

1 more reply

8organicbits5y ago

I'm following.

How exactly the attacker influences the bundle is going to be implementation dependent, so some sites may be safe while others are exploitable.

1 more reply

j / k navigate · click thread line to collapse