W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Application Hash exchange between client and server

From: Joel Weinberger <jww@chromium.org>
Date: Wed, 29 Jul 2015 22:45:57 +0000
Message-ID: <CAHQV2Km0fcGi5Td+WPwRzDsdQk9AxQ+d1rV8XUvKhyQVXR5khw@mail.gmail.com>
To: Ahmed Saleh <ahmedzs@live.ca>, "public-webappsec@w3.org" <public-webappsec@w3.org>
For your suggestion of the server sending hashes to the client, a variant
of this is actually under design right now. See Subresource Integrity
<http://www.w3.org/TR/SRI/> (and the many discussions on this list about

For the client to server hash, this is unlikely to be implemented, for
several reasons:

   - As described, the application could lie to the server, so there would
   be no benefit. A "bad" browser could run Chrome, get the hash it sends,
   copy that hash, and start sending it to the server as if it was its own.
   - Even if some version were to be implemented (using TPMs, for example,
   or even just OS level constructs), this would almost certainly be a
   violation of the Priority of Constituencies
   What you've described is a form of remote attestation
   which generally has been rejected on the Web (with notable exceptions
   surrounding DRM). Basically, a user agent *should* be allowed to lie. In
   fact, this is how in browser compatibility traditionally has worked, and
   why every user agent string has the words "Mozilla" and "IE" in it.


On Wed, Jul 29, 2015 at 3:29 PM Ahmed Saleh <ahmedzs@live.ca> wrote:

> Hi Sir/Madam,
> It would be a nice feature if we can exchange hashes between server and
> browser. a client as a browser would send clients' browser hash signature
> and the server would send it's application hash signature. This way, as a
> client, I would insure that I am communicating to the right version of
> application I intend (in case if this application is open source) and as a
> server, the server would insure that it's communicating to the right
> clients' browser as intended(that for example, could protect and view my
> data).
> Thank you,
Received on Wednesday, 29 July 2015 22:46:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC