HackerTrans
TopNewTrendsCommentsPastAskShowJobs

doomrobo

no profile record

Submissions

Moving Past Bots vs. Humans

blog.cloudflare.com
6 points·by doomrobo·3 miesiące temu·1 comments

Improving the Trustworthiness of JavaScript on the Web

blog.cloudflare.com
65 points·by doomrobo·9 miesięcy temu·34 comments

comments

doomrobo
·4 miesiące temu·discuss
I’ll ask the dual question: how many of the mobile safari checkmarks are fully fleshed out? Media Session has a check, but I have absolutely fought obvious Media Session implementation bugs in my own PWAs when designing for mobile safari
doomrobo
·5 miesięcy temu·discuss
>Small block ciphers are thus generally a bad idea against active adversaries.

>However, they can be very useful against passive adversaries whose capability is limited to observing identifiers, who are then unable to map them to the original value.

Really? Isn’t the Sweet32[0] attack mostly passive? “We show that a network attacker who can monitor a long-lived Triple-DES HTTPS connection between a web browser and a website can recover secure HTTP cookies by capturing around 785 GB of traffic.”

[0] https://sweet32.info/
doomrobo
·9 miesięcy temu·discuss
Yes, if every single URL in your web application has a hash in it (including <a> hrefs) then you don’t have to worry about anyone maliciously serving a webpage anymore.

But how do you get new app versions? I argue, if you want any meaningful security guarantees, an answer to this question will require transparency and/or code signing (which itself requires transparency, per my comment below)
doomrobo
·9 miesięcy temu·discuss
Emailed :)
doomrobo
·9 miesięcy temu·discuss
1. I didn't know about this [1] actually! It looks like it's been unsupported for a few years now. The format looks pretty barebones, and we'd still need hashes like you said, as well as "wildcard" entries. I reckon the JSON solution might still be the better choice, but this is good to have as a reference.

2. I agree, and this is something we have gone back and forth on. The nice thing about hashes as primary keys is you can easily represent a single path having many possible values, and you can represent "occurs anywhere" hashes by giving them the empty string. But the downside like you mention is that a hash cannot occur at multiple paths, which is far from ideal. I'll make an issue in the Github about this, because I don't think it's near settled.

3. I had read the spec [2] but never made this connection! You're right that it's not hard to imagine malleability sneaking in via headers and status codes. I'll make an issue for this.

4. I wanted to veer a bit from requiring sites to hold yet more cryptographic material than they already do. Yes you can keep signing keys "very very offline", but this requires a level of practice that I'm not sure most people would achieve. Also you run into key rotation annoyances as well. The current route to something like you describe is have every site have their own transparency log entry (though they can share manifests and even asset hosts), and use code signing to link their instance to the source of truth.

[1] https://en.wikipedia.org/wiki/Cache_manifest_in_HTML5

[2] https://www.rfc-editor.org/rfc/rfc9421.html
doomrobo
·9 miesięcy temu·discuss
Gotcha, yeah I agree. Fwiw, with the imagined code signing setup, the pubkey will be committed to in the transparency log, without any extra work. The purpose of the plugin is to give the browser the ability to parse (really fetch, then parse) those extension values into a meaningful policy. Anyways I agree, it'd be best if this part were built into the browser too.
doomrobo
·9 miesięcy temu·discuss
I'll actually argue the opposite. Transparency is _the_ pivotal thing, and code signing needs to be built on top of it (it definitely should be built into the browser, but I'm just arguing the order of operations rn).

TL;DR you'll either re-invent transparency or end up with huge security holes.

Suppose you have code signing and no transparency. Your site has some way of signaling to the browser to check code signatures under a certain pubkey (or OIDC identity if you're using Sigstore). Suppose now that your site is compromised. What is to prevent an attacker from changing the pubkey and re-signing under the new pubkey. Or just removing the pubkey entirely and signaling no code signing at all?

There are a three answers off the top of my head. Lmk if there's one I missed:

1. Websites enroll into a code signing preload list that the browser periodically pulls. Sites in the list are expected to serve valid signatures with respect to the pubkeys in the preload list.

Problem: how do sites unenroll? They can ask to be removed from the preload list. But in the meantime, their site is unusable. So there needs to be a tombstone value recorded somewhere to show that it's been unenrolled. That place it's recorded needs to be publicly auditable, otherwise an attacker will just make a tombstone value and then remove it.

So we've reinvented transparency.

2. User browsers remember which sites have code signing after first access.

Problem: This TOFU method offers no guarantees to first-time users. Also, it has the same unenrollment problem as above, so you'd still have to reinvent transparency.

3. Users visually inspect the public key every time they visit the site to make sure it is the one they expect.

Problem: This is famously a usability issue in e2ee apps like Signal and WhatsApp. Users have a noticeable error rate when comparing just one line of a safety number [1; Table 5]. To make any security claim, you'd have to argue that users would be motivated to do this check and get it right for the safety numbers for every security-sensitive site they access, over a long period of time. This just doesn't seem plausible

[1] https://arxiv.org/abs/2306.04574
doomrobo
·9 miesięcy temu·discuss
You're right that, when your own server is trustworthy, fully self-hosting removes the need for SRI and integrity manifests. But in the case that your server is compromised, you lose all guarantees.

Transparency adds a mechanism to detect when your server has been compromised. Basically you just run a monitor on your own device occasionally (or use a third party service if you like), and you get an email notif whenever the site's manifest changes.

I agree it's far more work than just not doing transparency. But the guarantees are real and not something you get from any existing technology afaict.