Re: Security use cases for packaging
On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote: > A signed manifest-like package description that lists the hash and > location of every resource seems fine as long as all the resources are > downloaded and verified before running the app. Perhaps this kills > some of the performance benefits motivating packaging in the first > place. :( Why would you need to fetch all the pieces before running the app? Consider a manifest includes an integrity check covering resources X, Y, and Z, but X is the only bit of code that runs first, and Y and Z aren't loaded. If you can validate the manifest, then you know you only run X if you've verified the manifest and X's integrity. If the user triggers an action that requires resource Y, then you fetch it but don't use it unless it matches the integrity check. (i haven't developed webapps myself for ages, and the idea of a signed webapp is relatively new to me, so feel free to explain any obvious part that i'm missing) --dkg signature.asc Description: PGP signature
Re: Security use cases for packaging
On Fri 2015-01-30 01:50:43 -0500, Yan Zhu wrote: > Say that resource Y is a javascript file that listens for users typing > in password fields and shows them a warning if the password is > weak. The user verifies and loads the HTML page that includes Y but an > attacker then blocks the request to fetch Y, so the user picks a weak > password. > > My intuition is that most developers think about the security of their > app as a whole, not the security of their app minus > any-given-subset-of-resources. I see what you're saying -- and javascript that is directly embedded in the app would all definitely need to be loaded first (since we don't know how it would affect the rest of the application). I was thinking of other resources that might be invoked or loaded later, via XHR or dynamic script load other requests. I suppose the question then arises of what to do if the app triggers an XHR or dynamic script load for a piece of signed content, and that signed content can't be fetched, the entire application would have to block or something to avoid the scenario you describe. That kind of UX doesn't sound very web-like :/ --dkg