W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity strawman.

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 8 Jan 2014 16:10:16 -0800
Message-ID: <CALx_OUBGfjZKB3EhfkRsmShWBQYdO=d6hHWhBdEj9AcGZJ_OqQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Ilya Grigorik <igrigorik@google.com>, Joel Weinberger <jww@chromium.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Mark Nottingham <mnot@mnot.net>, Tab Atkins <tabatkins@google.com>, William Chan <willchan@google.com>
Also, to circle back to the fingerprinting angle: the logged-in state
aside, let's say that there's a HTML page or a JSON response that is
mostly static, except for a first name, e-mail address, or a phone
number somewhere in the body. Further, for the sake of simplicity,
let's say that it's cacheable on the client.

I could precompute hashes for the static content + every common first
name, every phone number in a particular area code, or any of the
e-mail addresses I care about; and then rapidly attempt to load that
subresource with varying integrity=. By monitoring violations, I could
quickly determine that my victim's name on Facebook is Bob, or that
his number is 650-555-5555, right?

I don't think this is easily attainable without subresource integrity...

/mz
Received on Thursday, 9 January 2014 00:11:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC