On 1/4/11 10:51 PM, Glenn Maynard wrote:
On Tue, Jan 4, 2011 at 10:53 PM, Boris Zbarsky<[email protected]> wrote:
Note that you keep comparing websites to desktop software, but desktop
software typically doesn't change out from under the user (possibly in ways
the original software developer didn't intend). The desktop apps that do
update themselves have a lot of checks on the process precisely to avoid
issues like MITM injection of trojaned updates and whatnot. So in practice,
they have a setup where you make a trust decision once, and then the code
that you already trusted verifies signatures on every change to itself.
HTTPS already prevents MITM attacks and most others
I've yet to see someone suggest restricting the asking UI to https sites
(though I think it's something that obviously needs to happen). As far
as I can tell, things like browser geolocation prompts are not thus
restricted at the moment.
the major attack vector they don't prevent is a compromised server.
Or various kinds of cross-site script injection (which you may or may
not consider as a compromised server).
I thnik the main difference is that the private keys needed to sign
with HTTPS are normally located on the server delivering the scripts,
whereas signed updates can keep their private keys offline.
Or fetch them over https from a server they trust sufficiently (e.g.
because it's very locked down in terms of what it allows in the way of
access and what it serves up), actually; I believe at least some update
mechanisms do just that.
That's not a model web apps can mimic: all ways to execute scripts, in both
Javascript files and inline in HTML, would need to be signed, which is
impossible with templated HTML.
Agreed, but that seems like a problem for actual security here.
You don't really know that an installer you download from a server is
valid, either. Most of the time--for most users and most
software--you have to take it on faith that the file on the server
hasn't been compromised.
That really depends. Publishing checksums is not all that uncommon.
The point is that at least the remote possibility of due diligence on
the user's part exists here. So far, for web sites, it doesn't.
But, yes, you only have to do that once with auto-updating systems, not on
every update.
Indeed.
-Boris
