Re: Application Hash exchange between client and server from Joel Weinberger on 2015-07-30 (public-webappsec@w3.org from July 2015)

From: Joel Weinberger <jww@chromium.org>
Date: Thu, 30 Jul 2015 16:14:23 +0000
To: Conrad Irwin <conrad.irwin@gmail.com>
Cc: Ahmed Saleh <ahmedzs@live.ca>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAHQV2Kk55O_=Lj4VU4MHVaabwu_fCpYzi86L1UQMeCnbYuyi-g@mail.gmail.com>

A pointer in which direction? I assume you mean from CSP to SRI (since SRI
points to CSP)? That may happen eventually, but keep in mind that SRI isn't
a finalized spec yet.
-Joel

On Thu, Jul 30, 2015, 7:43 AM Conrad Irwin <conrad.irwin@gmail.com> wrote:

> Thanks for the pointer. I joined the list to suggest implementing
> subresource integrity as part of the Content-Security-Policy, because it
> seemed like an obviously missing piece.
>
> I don't know what the usual way of handling this is, but a pointer between
> the two documents would have helped significantly.
>
> Conrad
>
>
> On Wed, Jul 29, 2015 at 11:45 PM, Joel Weinberger <jww@chromium.org>
> wrote:
>
>> For your suggestion of the server sending hashes to the client, a variant
>> of this is actually under design right now. See Subresource Integrity
>> <http://www.w3.org/TR/SRI/> (and the many discussions on this list about
>> it).
>>
>> For the client to server hash, this is unlikely to be implemented, for
>> several reasons:
>>
>>    - As described, the application could lie to the server, so there
>>    would be no benefit. A "bad" browser could run Chrome, get the hash it
>>    sends, copy that hash, and start sending it to the server as if it was its
>>    own.
>>    - Even if some version were to be implemented (using TPMs, for
>>    example, or even just OS level constructs), this would almost certainly be
>>    a violation of the Priority of Constituencies
>>    <http://www.schemehostport.com/2011/10/priority-of-constituencies.html>.
>>    What you've described is a form of remote attestation
>>    <https://en.wikipedia.org/wiki/Trusted_Computing#Remote_attestation>,
>>    which generally has been rejected on the Web (with notable exceptions
>>    surrounding DRM). Basically, a user agent *should* be allowed to lie.
>>    In fact, this is how in browser compatibility traditionally has worked, and
>>    why every user agent string has the words "Mozilla" and "IE" in it.
>>
>> --Joel
>>
>> On Wed, Jul 29, 2015 at 3:29 PM Ahmed Saleh <ahmedzs@live.ca> wrote:
>>
>>> Hi Sir/Madam,
>>> It would be a nice feature if we can exchange hashes between server and
>>> browser. a client as a browser would send clients' browser hash signature
>>> and the server would send it's application hash signature. This way, as a
>>> client, I would insure that I am communicating to the right version of
>>> application I intend (in case if this application is open source) and as a
>>> server, the server would insure that it's communicating to the right
>>> clients' browser as intended(that for example, could protect and view my
>>> data).
>>> Thank you,
>>>
>>>
>

Received on Thursday, 30 July 2015 16:15:05 UTC