W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2017

Re: Verified Javascript: Proposal

From: Eduardo Robles Elvira <edulix@nvotes.com>
Date: Tue, 25 Apr 2017 11:19:27 +0200
Message-ID: <CAP3PUVhXDHdSJy6Ojxg97a3EkL1G8rHkWgh5fzMtMFuuceaxmQ@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Daniel Huigens <d.huigens@gmail.com>, public-webappsec@w3.org
Hello:

Thanks for the work and the proposal Daniel, I think "HTTPS Content
Signing" (HCS) could be very useful in some websites that value highly
transparency and trust.

> I wonder how the logged certificates would be used. I would expect web
apps to update several times a day, or even per hour. How would a user tell
the difference between a bug fix / feature release on the one hand, and
something malicious (from their PoV) on the other hand?

This can happen already today if you try to download frequently a page
source code and diff for changes. It is just not verifiable publicly and
perhaps more cumbersome.

In any case, even if HCS was to be made into a standard, it won't fit all
use-cases. If you don't see any advantage to this technology, you could
just not use it right? I certainly wouldn't find reasonable to force the
usage of HCS of all web pages and all web sites.

Regards,

--
nVotes' CTO           https://nvotes.com
Eduardo Robles      +1(831) 778-4140

2017-04-25 10:33 GMT+02:00 Jochen Eisinger <eisinger@google.com>:

> Hey,
>
> I wonder how the logged certificates would be used. I would expect web
> apps to update several times a day, or even per hour. How would a user tell
> the difference between a bug fix / feature release on the one hand, and
> something malicious (from their PoV) on the other hand?
>
> best
> -jochen
>
> On Mon, Apr 24, 2017 at 12:27 PM Daniel Huigens <d.huigens@gmail.com>
> wrote:
>
>> Hi webappsec,
>>
>> A long while ago, there was some talk on public-webappsec and public-
>> web-security about verified javascript [2]. Basically, the idea was to
>> have a Certificate Transparency-like mechanism for javascript code, to
>> verify that everyone is running the same and intended code, and to give
>> the public a mechanism to monitor the code that a web app is sending
>> out.
>>
>> We (Airborn OS) had the same idea a while ago, and thought it would be a
>> good idea to piggy-back on CertTrans. Mozilla has recently also done
>> that for their Firefox builds, by generating a certificate for a domain
>> name with a hash in it [3]. For the web, where there already is a
>> certificate, it seems more straight-forward to include a certificate
>> extension with the needed hashes in the certificate. Of course, we would
>> need some cooperation of a Certificate Authority for that (in some
>> cases, that cooperation might be as simple, technically speaking, as
>> adding an extension ID to a whitelist, but not always).
>>
>> So, I wrote a draft specification to include hashes of expected response
>> bodies to requests to specific paths in the certificate (e.g. /,
>> /index.js, /index.css), and a Firefox XUL extension to support checking
>> the hashes (and we also included some hardcoded hashes to get us
>> started). However, as you probably know, XUL extensions are now being
>> phased out, so I would like to finally get something like this into a
>> spec, and then start convincing browsers, CA's, and web apps to support
>> it. However, I'm not really sure what the process for creating a
>> specification is, and I'm also not experienced at writing specs.
>>
>> Anyway, please have a look at the first draft [1]. There's also some
>> more information there about what/why/how. All feedback welcome. The
>> working name is "HTTPS Content Signing", but it may make more sense to
>> name it something analogous to Subresource Integrity... HTTPS Resource
>> Integrity? Although that could also cause confusion.
>>
>> -- Daniel Huigens
>>
>>
>> [1]: https://github.com/twiss/hcs
>> [2]: https://lists.w3.org/Archives/Public/public-web-security/
>> 2014Sep/0006.html
>> [3]: https://wiki.mozilla.org/Security/Binary_Transparency
>>
>>

-- 
--
Legal Notice: The information in this email and in any of its attachments is
CONFIDENTIAL and intended solely for the attention and use of the named
address/addresses. If you are not the intended recipient, any disclosure,
copying, distribution or retaining of this message or any part of it, 
without
the prior written consent of Agora Voting SL is prohibited and may be 
unlawful.
If you have received this in error, please contact the sender and delete the
material from any computer. Your data are in a file owned by Agora Voting 
SL.
You can exercise your rights of access, rectification, cancellation and
opposition by contacting Agora Voting SL at the following address: c/Fuente 
del
Rey, 31M, 28023 Madrid, according to the Organic Law 15/1999, of 13th
December of Protection of Personal Data.
Received on Wednesday, 26 April 2017 12:59:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC