- From: Mark Watson <watsonm@netflix.com>
- Date: Fri, 22 Aug 2014 15:47:20 -0700
- To: Jeffrey Yasskin <jyasskin@google.com>
- Cc: Ángel González <angel@16bits.net>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEnTvdCoPQtGMQ742MLk_Buch3695pxC-BSNx1sFZDSmki+VxQ@mail.gmail.com>
On Fri, Aug 22, 2014 at 3:28 PM, Jeffrey Yasskin <jyasskin@google.com> wrote: > On Fri, Aug 22, 2014 at 3:12 PM, Ángel González <angel@16bits.net> wrote: > >> Jeffrey Yasskin wrote: >> > That's what I'm suggesting. I'm not sure whether "block ALL mixed >> > content" or "block insecure access to user data" is the stronger push, >> > but it seems like there's at least a chance that folks will be willing >> > to keep a regulated hole in the mixed-content wall, especially if it >> > makes it easier to adopt Chrome's secure-origins manifesto. >> > >> > I don't really know what the regulated hole should look like. What >> > would you be happy with? >> >> The simplest hole is probably a url with a hash which must match the >> content. Eg. like >> http://en.wikipedia.org/wiki/Magnet_URI_scheme?oldid=622277458#cite_ref-4 >> >> I think I have also seen urls that used hashes appended after the # for >> verification, but can't find them now. >> > > So, roughly, allow requests under > https://w3c.github.io/webappsec/specs/subresourceintegrity/, in whatever > form that winds up, even if the origin is mixed. > I'd assumed this would not fly because it does not address privacy. However, if that mechanism did allow mixed content (Goal 5), then this would go a long way to addressing the video distribution use-case. There are some details related to streaming that would need to be worked out and calculating and managing the hashes across a large content library is no small task, but here you are in the territory of one-off engineering effort, which is much easier to justify. > > I'm not the person who'd need to be convinced that this approach is > acceptable, but it seems like a reasonable way to get most of the user > benefits of the secure origin proposal without forcing Netflix to spend > lots of money in a hurry to replace their serving hardware. > > >> > What if, instead, >> > WebCrypto provided a direct way to open a WebSocket where each message >> > is passed through decrypt() before being given to the user? >> >> That looks initially good as it would also provide confidentiality. >> However, I'm afraid that you would end up having to spec a VM for how to >> decrypt the message. IMHO the hole should only require integrity (hashes >> or private key signatures). Decryption should be performed by WebCrypto >> on top of that. But you will find that there will be cases where it's >> not desired (eg. the download of a .deb or a Linux CD) and others where >> it's not enough (the tracking could be perfomed on the encrypted file). >> If you need to reencrypt for every user, you don't help the CDN use case >> where they precisely want static files. The only benefit is that you >> could encrypt offline the same content several times, and then serve >> each user a different token (and file) to decrypt them. >> > > Fair 'nuf. >
Received on Friday, 22 August 2014 22:47:48 UTC