W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 20:42:07 +0100
Message-ID: <CAKXHy=cfKQ99dnKmR6DF_5HRg1RdFtgd1=_4nYtFSw2instg1g@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>, Frederik Braun <fbraun@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hey Mark!

On Mon, Nov 3, 2014 at 7:25 PM, Mark Watson <watsonm@netflix.com> wrote:

> I understand that HTTP is no longer considered eligible for SRI, for good
> reasons [1]. Also that the ability of SRI / HTTP resources to escape
> mixed-content blocking is not something which had been agreed.
>

I think it's fair to say that there's strong opposition to weakening the
promise that user agent's UI makes to users. TLS should provide both
integrity and privacy; it's not clear how we could continue to make that
guarantee if portions of a page could load over HTTP.

It's equally unclear how we could distinguish between an XHR that loaded
data a site would programmatically act upon, and an XHR used to load video
data. XHR is multipurpose in a way that <video> and <audio> aren't; the
latter would be a safer starting point for experimentation.


> Second, requiring HTTPS doesn't really solve the Verizon identifier
> attack, or similar: such an identifier could still be associated with the
> TLS connection, for example in a TCP option, some extension to the initial
> TLS exchange or even a totally independent message sent to the destination
> identifying the TLS connection by its IP 5-tuple.
>

TLS would prevent _Verizon_ from injecting such an identifier into the TLS
stream, though. You're correct, of course, that Verizon's privileged
position allows it to play side-channel tricks with IP address assignment
(IPv6 will make that sort of thing easier).


> But, anyway, is there anything that could be done in terms of request
> integrity with HTTP ? Thinking aloud, could the response be required to
> include an HMAC of the request, using a key provided to the UA by the site
> ? That does not prevent destination server and network colluding, but does
> prevent modification of requests sent to non-colluding sites.
>

agl@ proposed a Merkle tree approach for streaming data. I think there was
agreement that that was a reasonable approach, but no one has proposed a
delivery mechanism for the digest data that seemed like a good solution.
According to Twitter, Freddy's been looking into this recently, so maybe he
has some good ideas? :)

I would expect that response headers be not visible to JS on the XHR, to
> avoid the attacks where networks attach unique identifiers to responses.
>

Well, that's a problem: one of SRI's requirements has been that
integrity-checked resources be delivered with CORS headers that enable JS
access as part of a mechanism to ensure that the contents of non-public
resources aren't brute-forcable via integrity checks (see
http://w3c.github.io/webappsec/specs/subresourceintegrity/#is-resource-eligible-for-integrity-validation
for detail).

I'm not sure that restriction is conducive to Netflix's use case.


> Another line of thought would be whether TLS could be used for HTTP sites ?
>

I guess you're referring to opportunistic encryption? Firefox seems to have
bought into the concept, but you won't be shocked to hear that many of the
same people you're already talking to on the Chrome team about TLS aren't
particularly enthused about those proposals. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 3 November 2014 19:42:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC