W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: Subresource Integrity strawman.

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 9 Jan 2014 12:24:32 +0800
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Ilya Grigorik <igrigorik@google.com>, Joel Weinberger <jww@chromium.org>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Frederik Braun <fbraun@mozilla.com>, Brad Hill <bhill@paypal.com>, Anne van Kesteren <annevk@annevk.nl>, Tab Atkins <tabatkins@google.com>, William Chan <willchan@google.com>
Message-Id: <4D518ABB-A52D-40E5-B54D-DC0C5928DBF8@mnot.net>
To: Michal Zalewski <lcamtuf@coredump.cx>
On 9 Jan 2014, at 8:10 am, Michal Zalewski <lcamtuf@coredump.cx> wrote:

> Also, to circle back to the fingerprinting angle: the logged-in state
> aside, let's say that there's a HTML page or a JSON response that is
> mostly static, except for a first name, e-mail address, or a phone
> number somewhere in the body. Further, for the sake of simplicity,
> let's say that it's cacheable on the client.
> I could precompute hashes for the static content + every common first
> name, every phone number in a particular area code, or any of the
> e-mail addresses I care about; and then rapidly attempt to load that
> subresource with varying integrity=. By monitoring violations, I could
> quickly determine that my victim's name on Facebook is Bob, or that
> his number is 650-555-5555, right?
> I don't think this is easily attainable without subresource integrity…

Seems like this could be mitigated by only allowing the integrity-enabled cache to consider responses that are storable by a shared cache… you'd need a proviso that any response loaded over HTTPS needs an explicit CC: public.



Mark Nottingham   http://www.mnot.net/
Received on Thursday, 9 January 2014 04:25:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:36 UTC