

Static Signing: An Alternative to SSL - jmah
http://jonmah.tumblr.com/post/18281110021/static-signing

======
geal
This looks nice, but it has a few problems:

-first, relying on DNS for certificate distribution might not be a good idea. It adds complexity, would not be secure without stuff like DNSSEC, and places too much responsibility on DNS.

-second, you could have gained a lot of CPU time in 1995 when static pages were the norm, but right now, for apps using AJAX heavily, you will not gain much.

-third, it does not prevent MITM. I can mount a server between you and the website, and keep serving you outdated content with its valid signature. Or serve you prepared content that I received earlier.

-last but not least, TLS certificates are cheaper and cheaper these days (not necessarily a good thing, though), and encryption doesn't cost much anymore.

Apart from that, I agree that would have been a cool idea :)

------
jgrahamc
Very similar to a proposal I made a few years ago for signing of SCRIPT tags:
[http://blog.jgc.org/2009/09/solving-xss-problem-by-
signing-t...](http://blog.jgc.org/2009/09/solving-xss-problem-by-signing-
tags.html)

~~~
jmah
Indeed, looks like an extension of that to HTML and images. With the HTML is
signed, then scripts just need to be hashed, not signed with your key.

------
michaelmior
It's an interesting idea. I'm curious about the point (²) about cache hits
where there are currently misses. What scenario would this happen in? If
you're pointing to the same cachable resource on different pages, it should be
cached anyway.

