Re: Security use cases for packaging

2015-01-30 Thread Daniel Kahn Gillmor
On Fri 2015-01-30 01:50:43 -0500, Yan Zhu wrote:
 Say that resource Y is a javascript file that listens for users typing
 in password fields and shows them a warning if the password is
 weak. The user verifies and loads the HTML page that includes Y but an
 attacker then blocks the request to fetch Y, so the user picks a weak
 password.

 My intuition is that most developers think about the security of their
 app as a whole, not the security of their app minus
 any-given-subset-of-resources.

I see what you're saying -- and javascript that is directly embedded in
the app would all definitely need to be loaded first (since we don't
know how it would affect the rest of the application).  I was thinking
of other resources that might be invoked or loaded later, via XHR or
dynamic script load other requests.

I suppose the question then arises of what to do if the app triggers an
XHR or dynamic script load for a piece of signed content, and that
signed content can't be fetched, the entire application would have to
block or something to avoid the scenario you describe.  That kind of UX
doesn't sound very web-like :/

--dkg



Re: Security use cases for packaging

2015-01-29 Thread Daniel Kahn Gillmor
On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote:
 A signed manifest-like package description that lists the hash and
 location of every resource seems fine as long as all the resources are
 downloaded and verified before running the app. Perhaps this kills
 some of the performance benefits motivating packaging in the first
 place. :(

Why would you need to fetch all the pieces before running the app?
Consider a manifest includes an integrity check covering resources X, Y,
and Z, but X is the only bit of code that runs first, and Y and Z aren't
loaded.

If you can validate the manifest, then you know you only run X if you've
verified the manifest and X's integrity.  If the user triggers an action
that requires resource Y, then you fetch it but don't use it unless it
matches the integrity check.

(i haven't developed webapps myself for ages, and the idea of a signed
webapp is relatively new to me, so feel free to explain any obvious part
that i'm missing)

--dkg


signature.asc
Description: PGP signature