W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [SRI] unsupported hashes and invalid metadata

From: Francois Marier <francois@mozilla.com>
Date: Wed, 31 Dec 2014 12:07:01 +1300
Message-ID: <54A33015.9040503@mozilla.com>
To: public-webappsec@w3.org
On 31/12/14 07:12, Brad Hill wrote:
> I also think there is a third way to handle deprecated algorithms - the
> way we handle them for SSL today - fail open and show a warning to
> encourage operators to perform necessary maintenance, then, after a
> reasonable time, fail closed.

There are two cases [1] to think about:

1. <script integrity="ni:///sha-512;foo"> for a modern browser that no
longer considers that hash algorithm secure

2. <script integrity="ni:///sha-1024;foo"> for an older browser that
doesn't know about this new hash algorithm

I think you're suggesting we fail open (for a time anyways) in the first
case by keeping a list of known-but-no-longer-trusted hash algorithms. I
can draft a pull request for this.

What should we do for completely unknown hash algorithms? (i.e. case 2
with old browsers) Dev suggested that perhaps failing open is the only
sane way to let site admins support the long tail of browsers.

Francois

[1] In both cases, the result of the metadata list parsing algorithm in
the spec is the empty string: there is integrity metadata, but the
browser doesn't support any of it.
Received on Tuesday, 30 December 2014 23:07:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC