W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Suggestion for code exposure security

From: Kristijan Burnik <burnik@google.com>
Date: Thu, 30 Jul 2015 12:01:54 +0200
Message-ID: <CANJwyhXFu7CtA94ifZJkz8Z1PQKor9p=jdZGzGavjiedO3pXJg@mail.gmail.com>
To: Ahmed Saleh <ahmedzs@live.ca>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello,

Sounds like an interesting idea. I'm not quite sure it would ever work the
way you describe. I think it would create more problems for developers than
actually protect anything. :-/

My experience is that the most important and sensitive code lives on the
server (as it should) and never touches the client. Other than that, it's
pretty common to obfuscate the JS code, e.g. by minifying it. In any case,
as it holds for encryption, security should never be in danger from one's
ability to read the source code.

So how would, for example, CURL work if it reached your website? Would one
be able to read your code?
My point is: you would have to do these hash checks on the server-side, and
the hashes would be well-known so an attacker could just inject the hash
while doing the CURL in the first place...

Btw, you would constantly need to update your list of hashes because you
start of by white-listing, so your service would be inaccessible to some
clients if you miss out on any relevant signatures... This is also hard to
test, unless you have a nice farm of browsers in your test infrastructure.
Sounds expensive to me... :-/

Did you have a chance to read about subresource integrity [1]?

[1] http://www.w3.org/TR/SRI/




On Tue, Jul 28, 2015 at 2:53 AM, Ahmed Saleh <ahmedzs@live.ca> wrote:

> Hi Sir/Madam,
> Due to the public exposed nature of JavaScript and HTML code to browsers
> and clients, it’s not protected from people who can steal or manipulate the
> responded code from servers. Therefore, I have suggestion solve this
> situation. We can make all known browsers to have a specific signature
> (Hash) and a website would only work for a list of given signatures which
> represent all known browsers.
> So on my website I can check for the current browser that’s trying to
> connect with me as a server and decide if it’s valid based on its signature
> and continue the connection if the signature is found in my data list(of
> browsers[name&version]-signature/hash key-value pairs) or not if invalid
> and the signature is not found in my list of signature of all known
> browsers and terminate the connection.           The browsers on the other
> hand, could respond to meta tags on my website such as <meta immutable>
> which prevents websites from being mutated by plugins, and <meta protected>
> which protects source code from view.
> Thank you,
>



-- 

*Kristijan Burnik*

Software Engineering Intern

burnik@google.com

Google Germany GmbH

Dienerstraße 12

80331 München

Geschäftsführer: Graham Law, Christine Elizabeth Flores

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg
Received on Thursday, 30 July 2015 10:04:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC