Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change canonisation method from minimsation to something less intrusive #16

Open
rugk opened this issue May 25, 2018 · 5 comments
Open

Comments

@rugk
Copy link

rugk commented May 25, 2018

BTW why do you need that at all? Can't you just take the DOM content literally and that's it?

@baryluk
Copy link

baryluk commented Jun 15, 2018

I fully agree. I understand JS might be slow in crypto so minizing then verifying signature seams easier, but come one, just do a hash of content, and then sign it. No minimizing required.

You need to add a comment at the top of the html file (right after the doctype if exists) that contains the detached PGP signature of the content of the tag after it has been minified with minimized with a specific set of settings.

I was reading. everything before, and it was all nice, until this part. WTF.

It imposes huge burden on development setup, build tools, and is going to break when the page and extensions are using different versions https://github.com/Swaagie/minimize that change output format slightly. Which is very likely to happen.

@rugk
Copy link
Author

rugk commented Jun 15, 2018

I understand JS might be slow in crypto

Actually not really with the Web Crypto API, which is natively implemented in browsers and which I think this extension, uses.

@tasn
Copy link
Owner

tasn commented Jun 15, 2018

As mentioned in the README and in #15 (comment), this is not possible. You can't take the DOM content in a consistent manner across browsers. I don't remember the exact inconsistencies I got, but they were plentiful. I could maybe do some less aggressive, home-made, canonisation. I think the differences were not that crazy and I can probably play this cat-and-mouse game with browsers, I just hope it won't break on browsers I'm not testing on.

I'm leaving this one open, but going to change the title a bit.

@tasn tasn changed the title Drop forced minimisation Change canonisation method from minimsation to something less intrusive Jun 15, 2018
@tasn
Copy link
Owner

tasn commented Jun 15, 2018

From #15:

Okay so there is an issue for filterResponseData in Chromium.

Don't know whether you offer your extension for other browsers, but if this is implemented there, we could drop that requirement.

BTW am I right that on Firefox you don't apply the minimizer then – as the original content should be minimized correctly?

Once it's out in Chromium we can completely drop it, yes.

At the moment it's also done for Firefox because the paged is only signed with one signature. The moment the whole versioning scheme described in #13 and #15 is implemented, we can just have two signatures. Original and minimised so we can also support old browsers (on the signed page side), or to be honest, we can probably just drop old version support at the moment because signed-pages is not yet widely used.

@rugk
Copy link
Author

rugk commented Jun 15, 2018

Indeed drop old browser-support. BTW don't know how old the browsers actually are you support, but they have to support SRI, at least.

And here is the issue link, again: https://bugs.chromium.org/p/chromium/issues/detail?id=487422

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants