Re: What I am missing from Florian Bösch on 2014-11-19 (public-webapps@w3.org from October to December 2014)

From: Florian Bösch <pyalot@gmail.com>
Date: Wed, 19 Nov 2014 07:15:20 +0100
To: Michaela Merz <michaela.merz@hermetos.com>
Cc: Webapps WG <public-webapps@w3.org>
Message-ID: <CAOK8ODhZmQq3EdWTnu-9wXV+W5j05PpS4rNeJPyRZJG-79aYzQ@mail.gmail.com>
On Wed, Nov 19, 2014 at 6:35 AM, Michaela Merz <michaela.merz@hermetos.com>
wrote:

>  Well .. it would be a "all scripts signed" or "no script signed" kind of
> a deal. You can download malicious code everywhere - not only as scripts.
> Signed code doesn't protect against malicious or bad code. It only
> guarantees that the code is actually from the the certificate owner .. and
> has not been altered without the signers consent.
>

On Wed, Nov 19, 2014 at 5:00 AM, Michaela Merz <michaela.merz@hermetos.com>
 wrote:
>
> it would make sense. Signed code would make script much more resistant to
> manipulation and therefore would help in environments where trust and/or
> security is important.
>
> We use script for much, much more than we did just a year or so ago.
>

On Wed, Nov 19, 2014 at 6:41 AM, Michaela Merz <michaela.merz@hermetos.com>
 wrote:
>
> TLS doesn't protect you against code that has been altered server side -
> without the signers consent. It would alert the user, if unsigned updates
> would be made available.


Signing allows you to verify that an entity did produce a run of bytes, and
not another entity. Entity here meaning the holder of the private key who
put his signature onto that run of bytes. How do you know this entity did
that? Said entity also broadcast their public key, so that the recipient
can compare.

TLS solves this problem somewhat by securing the delivery channel. It
doesn't sign content, but via TLS it is (at least proverbially) impossible
for somebody to deliver content over a channel you control.

Ajax downloads still require a download link (with the bloburl) to be
> displayed requiring an additional click. User clicks download .. ajax
> downloads the data, creates blob url as src which the user has to click to
> 'copy' the blob onto the userspace drive. Would be better to skip the final
> part.

Signing, technically would have an advantage where you wish to deliver
content over a channel that you cannot control. Such as over WebRTC, from
files, and so forth.

In regard to accept: I wasn't aware of the fact that I can accept a socket
> on port 80 to serve a HTTP session. You're saying I could with what's
> available today?

You cannot. You can however let the browser accept an incoming connection
under the condition that they're browsing the same origin. The port doesn't
matter as much, as WebRTC largely relegates it to an implementation detail
of the channel negotiator so that two of the same origins can communicate.



Suppose you get a piece of signed content, over whatever way it was
delivered. Suppose also that this content you got has the ability to read
all your private data, or reformat your machine. So it's basically about
trust. You need to establish a secure channel of communication to obtain a
public key that matches a signature, in such a way that an attackers
attempt to self-sign malicious content is foiled. And you need to have a
way to discover (after having established that the entity is the one who
was intended and that the signature is correct), that you indeed trust that
entity.

These are two very old problems in cryptography, and they cannot be solved
by cryptography. There are various approaches to this problem in use today:

   - TLS and its web of trust: The basic idea being that there is a
   hierarchy of signatories. It works like this. An entity provides a
   certificate for the connection, signing it with their private key. Since
   you cannot establish a connection without a public key that matches the
   private key, verifying the certificate is easy. This entity in turn, refers
   to another entity which provided the signature for that private key. They
   refer to another one, and so forth, until you arrive at the root. You
   implicitly trust root. This works, but it has some flaws. At the edge of
   the web, people are not allowed to self-sign, so they obtain their (pricey)
   key from the next tier up. But the next tier up can't go and bother the
   next tier up everytime they need to provide a new set of keys to the edge.
   So they get blanket permission to self-sign, implying that it's possible
   for the next tier up to establish and maintain a trust relationship to
   them. As is easily demonstratable, this can, and often does, go wrong,
   where some CA gets compromised. This is always bad news to whomever
   obtained a certificate from them, because now a malicious party can pass
   themselves off as them.
   - App-stores and trust royalty: This is really easy to describe, the app
   store you obtain something from signs the content, and you trust the
   app-store, and therefore you trust the content. This can, and often does go
   wrong, as android/iOS malware amply demonstrates.

TSL cannot work perfectly, because it is built on implied trust along the
chain, and this can get compromised. App-stores cannot work perfectly
because the ability to review content is quickly exceeded by the flood of
content. Even if app-stores where provided with the full source, they would
have no time to perform a proper review, and so time and time again malware
slips trough the net.

You can have a technical solution for signing, and you still haven't solved
any bit of how to trust a piece of content. About the only way that'd be
remotely feasible is if you piggyback on an existing implementation of a
trust mechanism/transport security layer, to deliver the signature. For
instance, many websites that allow you to d/l an executable provide you
with a checksum of the content. The idea being that if the page is served
up over TLS, then you've established that the checksum is delivered by the
entity, which is also supposed to deliver the content. However, this has a
hidden trust model that established trust without a technical solution. It
means a user assumes he trusts that website, because he arrived there on
his own volition. The same cannot be said about side-channel delivered
pieces of content that composit into a larger whole (like signed scripts).
For instance, assume you'd have a script file (like say the twitter API).
Twitter signs that file. Let's assume there's some mechanism to verify that
twitter as identified by their domain name, and as trusted over their TLS
can then be contacted to provide their public key, so you can verify the
signature. How do you know you can trust twitter? You haven't visited their
website, you might not know who they are, for you, they're just one of
dozens of entities which produced the content, which combines to a whole.
Would you have to visit each signatories TLS presence to establish that you
are satisfied they're trustworthy?
Received on Wednesday, 19 November 2014 06:15:48 UTC