Re: Verified Javascript for WebAppSec re-chartering?

Hash: SHA1

On 09/24/2014 04:08 PM, Mike West wrote:
> Thanks, Harry.
> On Wed, Sep 24, 2014 at 3:41 PM, Ben Laurie <> 
> wrote:
>>> This would seem to disable an entire class of applications are 
>>> then not really suitable for the Web, i.e. those applications 
>>> where the server may not be trusted. In that case, it seems 
>>> that having some third party verification of Javascript code 
>>> would be useful. This may also be useful for Web applications 
>>> where the server is trusted but may be insecure. It seems 
>>> Sub-resource integrity is headed in this direction, but we can 
>>> also imagine other ways this may be tackled that involve some 
>>> third party verification of Javascript.
> SRI verifies that the code sent by a server is the code that the 
> document into which that code is loaded expected to receive. It 
> doesn't do anything to ensure that those expectations match the 
> users'.
> I think there's probably some value to a code-signing extension to 
> SRI (that is, verification of a signature's providence rather than 
> verification of a file's contents), but it's not clear to me how 
> that would address the threat model posited here. If you don't 
> trust the server, and you don't trust the author, what good does
> it do you to know that the code you received is the code the
> author intended you to receive?

I think its a case where you trust the author but you are worried
server may have at some point become malicious or have been subverted,
so you want to verify the code.

Again, this would apply to certain high-value WebApps.

> Could you point me to a more detailed description of the actual 
> proposal?

It's in the Bugzilla:

This is our interpretation of the use-case put forward by Tom.

>> I believe Ben Laurie noted that in his STRINT submission some
>>> CertTrans-like mechanism could even be used [2]. Without this, 
>>> we see developments like Chrome's e2e email extension as 
>>> browser extension rather than being done natively in the 
>>> browser.
>> Extensions are also updated automatically, so I don't see how 
>> this helps, particularly.
>> That said, a CT-like mechanism could help with all of these 
>> cases.
> I totally agree with the benefit of a CT-like mechanism for 
> extensions, and I guess I could get behind a CT-like mechanism for 
> particular code snippets (though there's a huge difference in
> scope between compiling a list of all the certs ever vs all the
> code snippets ever).

+1 CT-like mechanism here.

Hehe - all code snippets over would be a nightmare. I'd say probably
"particular code snippets for particular operations" is what Tom wants.

> -mike
> -- Mike West <> Google+:,
> Twitter: @mikewest, Cell: +49 162 10 255 91
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany 
> Registergericht und -nummer: Hamburg, HRB 86891 Sitz der 
> Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine 
> Elizabeth Flores (Sorry; I'm legally required to add this exciting 
> detail to emails. Bleh.)
Version: GnuPG v1.4.11 (GNU/Linux)


Received on Wednesday, 24 September 2014 14:19:34 UTC