W3C home > Mailing lists > Public > public-web-security@w3.org > December 2013

Re: Signed Javascript

From: Richard Barnes <rbarnes@bbn.com>
Date: Tue, 17 Dec 2013 16:28:05 -0500
Cc: public-web-security@w3.org
Message-Id: <7D902879-917F-4F74-8231-00EAFC45789C@bbn.com>
To: Harry Halpin <hhalpin@w3.org>
On the one hand, this is a “turtles all the way down” problem.  If you’re going to verify JS with WebCrypto, you need to have JS to do the verification, and how does that get verified.

On the other hand, if you do have clean verification JS, it seems like you could do this with JWS / WebCrypto very simply.

var jws = {
    “unprotected”: { “alg”: “RS256”, “jwk”: { ... } },
    “payload”: “... base64-encoded JavaScript ...”,
    “signature”: “..."

var valid = jose.verify(jws);
/* Check that the key is one you trust */


On Dec 17, 2013, at 4:17 PM, Harry Halpin <hhalpin@w3.org> wrote:

> I think some sort of signed Javascript solution could be very useful. Currently, on the Web we have a pretty straightforward same origin policy that assumes complete trust in the server. yet with the proliferation of third-party JS apps and the possibility of server being compromised, how do you know if the server has served the right JS?
> I think some approach involving signatures and repos of JS libraries (similar to repos in *nix) would help, along with some sort of network perspectives or trust anchor in the browser to double-check and verify the JS served by the server.
> I believe WebAppSec WG is working on something in this space. I'm personally a fan of the TUF/Thandy approach of Tor, and wonder if such an approach could be adopted to JS. Installing trusted code is a hard problem, and applies just as equally in JS as it does in any other language. Despite all the harm of XSS, the advantage of downloading the JS code (and forcing new code into the cache when necessary), JS does allow easy upgrade to avoid 0 days, but I'd like to see if we can increase the trust in JS even more.
>   cheers,
>    harry
Received on Tuesday, 17 December 2013 21:28:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC