Re: [SRI] Comments on Subresource Integrity spec from Frederik Braun on 2015-05-19 (public-webappsec@w3.org from May 2015)

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 19 May 2015 10:23:26 +0200
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Joel Weinberger <jww@chromium.org>
CC: Gervase Markham <gerv@mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <555AF2FE.5060507@mozilla.com>

Sorry for this late (and likely contentious) reply in this already very
long thread.

I'm sure it's not a great security promise to check for the validity of
a digest with a broken hash function, but I have to agree with Gerv that
it's better than nothing at all.

Known collisions in a hash function, don't strictly imply that it's easy
and feasible to create a collision for arbitrary JavaScript files that
remain valid JS syntax.

We should at least try validating and not just throw our hands in the
air and say "you're doomed", when we can easily raise the bar - even if
it's just a little.


On 19.05.2015 00:44, Devdatta Akhawe wrote:
> ok .. I created https://github.com/w3c/webappsec/pull/371
> 
> Unless there is strong objection, I think we should go with this.
> 
> On 18 May 2015 at 15:22, Joel Weinberger <jww@chromium.org
> <mailto:jww@chromium.org>> wrote:
> 
>     "MAY" certainly covers the plans for our implementation, so it works
>     for me. I'd like to know, though, if any UA actually plans not to
>     follow this directive. If not, than I don't really see the point of
>     a "MAY" vs "SHOULD" or "MUST." But, yeah, I'm fine with this in any
>     case.
>     --Joel
> 
>     PS: I'm on vacation until next week, so I'll be quite slow to
>     respond at times. My apologies!
> 
>     On Tue, May 19, 2015 at 5:29 AM, Devdatta Akhawe
>     <dev.akhawe@gmail.com <mailto:dev.akhawe@gmail.com>> wrote:
> 
>         Given that there is some disagreement about this, I don't think
>         we gain anything by asserting that. As I mentioned, I can
>         imagine a UA doing this to encourage migration.
> 
>         On 18 May 2015 at 08:39, Gervase Markham <gerv@mozilla.org
>         <mailto:gerv@mozilla.org>> wrote:
> 
>             On 18/05/15 16:33, Devdatta Akhawe wrote:
>             > I thought the MAY gave flexibility to UAs. Does it not?
> 
>             It does; but I always think that when a spec says "MAY", it
>             means a bit
>             more than "You MAY consider the moon to be made of green
>             cheese"; i.e.
>             there are circumstances where the MAY might be a good idea.
>             I'm not sure
>             I can think of any circumstances where a UA would decide to
>             block loads
>             due to out-of-date integrity hash algorithms, given that the
>             no-integrity behaviour is to load regardless.
> 
>             Gerv
> 
> 
> 
>

Received on Tuesday, 19 May 2015 08:24:03 UTC