W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] Escaping mixed-content blocking for video distribution

From: Adam Langley <agl@google.com>
Date: Mon, 3 Nov 2014 12:06:08 -0800
Message-ID: <CAL9PXLwsgcTfUm3Uvjsif=uXMxr7GK5T=98XHpHS5Gd02LpAMQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Mark Watson <watsonm@netflix.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote:
> agl@ proposed a Merkle tree approach for streaming data. I think there was
> agreement that that was a reasonable approach, but no one has proposed a
> delivery mechanism for the digest data that seemed like a good solution.
> According to Twitter, Freddy's been looking into this recently, so maybe he
> has some good ideas? :)

I think Mark was suggesting that an HTTP *response* include an HMAC of
the received request in order to detect modification of the request. I
don't think that using a Merkle tree for streaming data is related
here. (Although, if you wanted to deliver the digest data, I'd expect
it to be interspersed with the content at points convenient for the
UA.)

In response to Mark's suggestion as I understand it: (I'm assuming
that the client includes an nonce in the request otherwise lots of
obvious attacks are possible.)

This would break whenever any headers were added, removed or altered.
Sadly, that's not uncommon in the realm of HTTP I believe. Certainly
there have been cases where "firewalls" removed advertised support for
gzip encoding in requests because they couldn't scan compressed
responses. I imagine there's lots more situations like that.

I strongly suspect that such a design would be undeployable.


Cheers

AGL
Received on Monday, 3 November 2014 20:06:55 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC