[SRI] Support signatures/asymm key #449
Comments
|
Then you need to trust the CDN, no? |
|
sorry .. the page provides the public key to trust and the browser verifies signature for each JS file (sent as a header in the JS response) |
|
I updated the description to be a bit more clearer: my apologies. does this make more sense? |
|
I realized: another huge advantage of this would be that we can then fully distrust a CDN: we can remove the CDN from the script-src list and instead only include this public-key in the script-src list. This has been bought up a few times in the current spec as a problem: listing all the hashes that are trusted in a script-src csp policy will be really hard. |
|
I kind of like the idea of using a key like a nonce. You provide the key On Fri, Aug 14, 2015 at 1:27 PM Devdatta Akhawe notifications@github.com
|
|
This is a similar idea that we were exploring at work, where we wanted to The core advantage to this would be that a compromised web head wouldn't be On Fri, Aug 14, 2015 at 9:33 PM Brad Hill notifications@github.com wrote:
|
|
I think we should do both: the case where cooperation from CDN is needed and the case where cooperation is not needed. At scale, the inclusion of an arbitrary number of signatures/hashes is very painful. And, the cooperating CDN is a perfectly fine model for SRI to target. |
|
To complement the Just like In an element, this might look like: To have a page-wide policy on all external resources: For the HTTP response header, rfc6249 seems very simple and suitable for this purpose: which seems simple enough but does involve another round-trip to fetch the signature file. This is much less complicated than other proposals which try to scrub out the signature line from the content which gets signed. With HTTP2 the extra round-trip can be avoided, so this mechanism has a nice performance upgrade path. I guess a data URI might also work to include the signature data inline, if the signature only refers to the content and not the headers. For an ed25519 detached signature ( Or using a combined mode signature ( |
|
Once we get consensus on actually supporting asymm key, then we have multiple options for how to support it. I am a bigger fan of using the existing attribute over introducing a new one. But in any case, I think for now, this task needs to focus on getting everyone on board about supporting this :) |
|
@devd would using the HTML resources TLS cert to sign the integrity hard to implement? So for example: Could be: |
|
Michael Smith of the W3C introduced me to the SRI work, and @devd suggested that I contribute to this thread. The scenario that I have been looking at is automatically verifying downloaded content using digital signatures. I have been asked why a hash or an HMAC is insufficient for this scenario. The use case is where you need to verify that the content is endorsed by a person or organisation known to be reputable within a web of trust. Consider downloading a privacy suite such as Tor. If you look at their download page, you will find that underneath each download button is a https://www.torproject.org/download/download.html.en On the explanation page, the second of the two links above, the Tor developers provide an excellent rationale for their use of signatures:
There are two further important factors which they did not mention. One is that sometimes, for whatever reason, people start to use different keys to sign their content. This even happened with Tor. The download was always signed by Erinn Clark, but now it may be signed by one of a number of Tor developers, presumably to introduce some redundancy to the system. Because signatures are used within public-key cryptography, it was possible for Erinn to sign the new keys as trusted, meaning that anybody who trusted Erinn can now trust the new signatures. The other factor is that the use of digital signatures decouples the verification protocol from the transport protocol. This means, for example, that you don't have to download Tor from a TLS protected site. You don't have to trust the TLS certificate. You can use HTTP; you can use FTP if you like. You can transmit the files over the least secure connection that you have available, but the presence of a digital signature means that you can always verify what you received, independent of the security of the transport. This allows people to more widely mirror software. I could host a recent copy of Tor, you could download it from me and then verify it without having to trust me or any of the infrastructure that I have used to send you the file. Unfortunately, there are drawbacks to this process, and that is what I have attempted to solve with the publication of the following Internet-Draft: https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt The problem described, and potentially solved, by this I-D is that downloading and verifying a signature is presently an ad hoc and laborious process. The links to a signature are just provided in text next to a download. The user has to be aware what a signature means, and why they should download it at all. They may have to install software to check the signature for them. They certainly have to manually enter the files into this verification software. The user interfaces of such software are commonly criticised. All this is madness. The browser should be doing this for the user, and wrapping it all up into a user friendly interface. The same user interface guidelines that have resulted in people trusting TLS should be applied to public key cryptography on the web. But most importantly, the process should be automated. Imagine if you had to download a TLS certificate and establish the authenticity of every HTTP request yourself, manually! You wouldn't bother; and similarly, people are deterred from checking signatures because the browser doesn't do the right thing, which is to check them automatically. I wrote and had the IETF publish this draft before I was aware of the SRI work. To check a signature, you have to provide some metadata that the browser can read. The metadata would have to be standardised, hence the I-D. The idea is to use a link relation, much like There was no existing mechanism for doing this in HTML, so I made one up. It's called the So that's where I'm at right now. I see that the Subresource Integrity work is focused on providing hash based verification of scripts, so signature based verification of downloads may be some step. But I think it is certainly, as Michael Smith suggested, closely related to your work and I'd love to hear what you think. |
|
Hello all! New guy on the block here... I too was playing around with this idea before I heard about SRI and have been a little shy to mention anything about it. But, saw the latest message go across the mailing list (thanks @sbp) and decided to say hi. My idea of using signatures actually based on using OpenPGP. The script tag essentially specifies an ID for the key being signed and an URL for the key and for the signature. The page fetches (and caches the key), fetches the signature and source file, validates the signature and source, given the public key. Why do it this way? Two things...
I made a working prototype of this idea, although it's not aligned with the SRI model. But, feel free to take a look at http://pgp.mikesir87.io/signedJs/ Feel free to post feedback/further ideas. Thanks! |
You shouldn't do this because IDs can be trivially forged. The 32-bit ID only has a space of 2 ** 32 = 4,294,967,296 IDs, so it is possible to use brute force key generation until you get a desired one. Always use the full fingerprint, and not just the key ID. More information on this here: https://help.riseup.net/en/security/message-security/openpgp/best-practices#dont-rely-on-the-key-id Your signature discovery algorithm is to append a file extension:
I think it would be better to allow aribtrary locations of the signatures, though at obvious cost in terms of markup verbosity. The use of Having said all of that, I think your work is great—you're thinking about similar issues to me and the SRI team, and you have running code to address the problem. Using the key fingerprint as a makeshift hybrid of the hash and signature models, to avoid the need to consult the web of trust, is also interesting. |
|
Thanks for the feedback! Use of full fingerprint IDs... awesome. I can make that change. Discovery of the signature... yeah. I was going to come up with a better idea there. Could be another attribute either on the script tag itself or with the SRI attributes. Was good enough to get a small prototype working though. :) The use of |
|
What happens if you remove the I'm not sure that I understand the use of
And then passing it to a |
|
The reason I had to make the I could probably use a single type and base the handling difference based on the presence of the I also tried removing the |
|
Thanks for the explanation! Issue #497 is closely related to this issue. @mozfreddyb suggested there using an integrity="rfc4880sig-filepathhere"This would however mean that the attribute value no longer aligns with, and would instead be an extension of, the CSP2 source list syntax: http://www.w3.org/TR/CSP2/#source-list-syntax So that may not be desirable. |
|
The first step here is to give a clear threat model for the problem. With SRI "level 1", there were many options we explored early on, and we We specifically excluded, at this time, even attaching integrity attributes There are many more such questions with these proposals, and I think a more So: Who is the attacker? On Wed, Dec 9, 2015 at 9:31 AM Sean B. Palmer notifications@github.com
|
|
Sounds good @hillbrad! To me, the threat model is basically the same as SRI's original model... prevent tampered JavaScript from executing. It's just using another method to perform the verification, rather than using just a hash. The main difference is that site X instructs the browser what signing keys are needed in order to trust the resources from site Y. This allows a developer, if using an OpenPGP method, to only supply a key fingerprint and location for the signature. If updates are made to the intended resource, I don't have to update my HTML code to modify a hash, as an updated signature has been created and verifies the code change was intended. Using Hashes: I reference Using Signatures: I reference the same source, but provide the key fingerprint and signature file location (however those are to be specified). Browser fetches the source, signature, and key. Verification is made. Code is executed. A new version of jQuery is published. Get the new signature. Since it's signed by the same key, it still validates and the code is executed. In order for an attacker to circumvent the signature verification, there's only two methods I can recognize (any others chime in):
Method 1 is a new vector compared to hash-based SRI. But, is still far more secure than no integrity check at all. That's what I've got for now... |
|
For existing SRI, the party doing the inclusion, "X", has to make their own For this new proposal, "X" is choosing to trust "Y" by way of a content How much additional assurance do you get by this, and is it worth the SRI where X provides the hash gives X a strong guarantee that no matter how SRI where X trusts Y's key for code signing gives, "well, maybe this is So, is that worth it? Do we have evidence of the existence of the class of On Wed, Dec 9, 2015 at 12:12 PM Michael Irwin notifications@github.com
|
|
One thing to mention (as I realize I didn't make it clear earlier) is that party Y is not the one performing the code signing. As part of the developer's build process for the JavaScript source (whether using node, gulp, grunt, etc.), a step is to sign the code using a private GPG key. Then, both the source and signature are published to content server Y, who is only serving static content (thinking a CDN-like environment).
Not quite. For an OpenPGP setup, in most cases, X would trust keyserver Z for the content's public signing key. Since X is providing the fingerprint for the key and keys are self-validating, there's no risk in a bad key being delivered. Y is indeed providing the HTTPS certificate, but is only serving as the host of the content, not the creator of the content.
Definitely a valid point and one in which education will be needed. But, this is the case in any code deployment environment requiring code signature. Android and iOS applications already use code signing where this is an issue too. Same thing with anyone that deploys Java artifacts into Maven central.
Good question. Sure... it's overhead to validate signatures. But, then you know for sure that the code you're executing is the code created by the developer that created the signature (assuming the private key wasn't compromised). I don't have to worry about changes in versions,
No, but if the signature is created by the developer during the build, then any compromise of the web server would result in that outcome (web server compromised but not signing keys). If I misunderstood the question, let me know and I'll be happy to elaborate. |
|
@sbp - I just updated my prototype to be more closely aligned with the current SRI implementation. I'm going to work on a new version that makes use of a |
|
I didn't realize some work was already happening on this front. I began working on a PoC (just using frontend tools) of subresource signing here. I'll try to read up and get involved in the wider community discussion as time allows. Note: My name is also Michael Smith, but I am not of the W3C. I think there are 36,000 of us. |
|
@sbp On a slight tangent, I read https://www.ietf.org/id/draft-palmer-signature-link-relation-00.txt and immediately thought of the troubling off-browser edge case that is becoming so prevalent. Whereas your draft is focused on the browser, are you aware of any standard that would apply to a tool that could execute arbitrary resources from a URL after verifying their expected signatures? |
|
The notary tool from Docker solves this: They are using that as the basis for the image verification system: Here is their curl example from the github readme: |
|
I'd like to make one note of caution here: if you are not a member of the WebAppSec WG, we cannot accept submissions unless you are willing to sign a contributor's IPR agreement. This is necessary in order to assure that the W3C can maintain our commitments to produce specifications that are unencumbered by patents and free for everyone to use. Please submit requirements, issues, bugs, etc., but if you want to propose anything which you expect or hope might end up as a normative requirement in a specification, please contact me directly at hillbrad@gmail.com so we can discuss how the WG can accept your contributions. Thanks! |
|
@hillbrad any way I can become a member of WebAppSec WG? I'm very interested in the subject, but i don't know what the requirements are. |
|
FYI, @mikewest has started a proposal for this in https://github.com/mikewest/signature-based-sri. |
|
With the increase of sophisticated domain takeover attacks on web wallet services like myetherwallet and others, being able to pin signing keys for trusted javascript in a browser has perhaps never been more important. Has there been any movement on this? If not are there any suggestions on how to get this moving? |
|
I believe there is a version in chrome you can use?
…On Wed, Sep 19, 2018, 11:19 PM Lance R. Vick ***@***.***> wrote:
With the increase of sophisticated domain takeover attacks on web wallet
services like myetherwallet and others, being able to pin signing keys for
trusted javascript in a browser has perhaps never been more important.
Has there been any movement on this? If not are there any suggestions on
how to get this moving?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#449 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAIXGcx2cdVFAZVagycZHhvuDjNTRQ7Jks5uczN9gaJpZM4Fpjkf>
.
|
|
Very late to the party but I ran into this while thinking through SRI for web bundles (and dynamic subsets of web bundles). If signature-based SRI would be introduced, would it make sense to include some sort of challenge request header with the public key? Otherwise key rotation seems more painful but I'm not 100% sure that's a risk in practice. |
For a modern website with a lot of JS files, the overhead of loading SHA hashes of each and every file it might need ever adds up to quite a bit overhead. We should allow the page to provide a public key that will sign JS/styles loaded and the browser checks the signature provided in a header in the response
The text was updated successfully, but these errors were encountered: