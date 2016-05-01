Hacker News new | comments | show | ask | jobs | submit login
"The security properties of a collision resistant hash function, ensure that a modification results in a very different hash."

I really appreciate the clarity of this post. The author is building up the groundwork without skipping steps that may be obvious to many readers. I of course knew the purpose of a hash before reading the article, but some people don't - and that sentence clearly let those users know why the hash matters without making it less readable for knowledgeable readers.

Writing clarity matters.

If you use webpack, just drop in webpack-subresource-integrity [0] for basically "free" SRI tags on all scripts.

It's not really as useful if you are serving your static assets from the same place as the HTML (and you always use HTTPS) but if you load your js/css on another server SRI can still provide some protection.

[0] https://github.com/waysact/webpack-subresource-integrity

And IIRC, it's built-in to creat-react-app.

It used to be, briefly, unfortunately it had to be removed again because create-react-app has a zero-configuration policy and SRI can break pages served without TLS unless Cache-Control: no-transform is set on the server [1].

[1] https://github.com/waysact/webpack-subresource-integrity#pro...

It'd be cool if the browser used this to allow cross-origin caching as well.

Say I have jQuery previously loaded a page that included jQuery from CDNJS and now I'm in China and another site tries to load jQuery from Google's CDN.

Currently that request would get blocked by the great firewall. But since the browser should know that this file matches one it has seen (and cached) before it should be able to just serve the cached file.

This could also save a network request even if I'm linking to a self-hosted file on my own servers if I include the hash.

The potential problem I see with this is that it could be abused for a "have you loaded this resource" privacy leak. Simply pick a unique script on a website, if my server doesn't get a hit then I know you went there before.

Possible solution is to have a content hash proxy trusted by the user but shared between multiple users. Then the site can only get the data at the proxy-level rather than the user-level, and not even that if the proxy is large enough to justify crawling the web to pre-cache everything, or is behind a larger cache that does.

That's not a solution but a work-around. The original privacy issue stands. browsers can't cache hashed content by default. :/

The browser would know if it had a content hash proxy configured and then could use it for all content hashed data. The issue becomes getting people to use one, but partial uptake is better than nothing. You could at least get most corporate and education environments with some equivalent to WPAD[1], and maybe even some consumer-level ISPs the same way if they want to reduce the traffic over their network.

[1] https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Proto...

We already have that though. Images and HSTS headers.

Save the load time and simulate it?

Yeah, that would be cool. They could also even potentially save JIT typing, specialization, and even parsing. This is a big deal on mobile.

There is Cache-Control: immutable

https://hacks.mozilla.org/2017/01/using-immutable-caching-to... https://bitsup.blogspot.de/2016/05/cache-control-immutable.h...

Like every cross site cacheing scheme this could be abused for tracking purposes.

Unfortunately this would break Content Security Policy.

Not that many people use CSP, but that's the excuse I've heard for not allowing cross-origin caching.

More detail on this: in a browser's current usage model, this is vulnerable to a 'cache origin confusion attack'. See this thread [1]. It's a bit hard to follow, so perhaps see these posts [2][3], which state the problem succinctly. Let me adapt the text from [3]:

The problem is that www.victim.example/evil.js doesn't exist, and never did, but your browser won't know that if it's in the cache -- this gives you a way of faking files existing on other servers at the URL of your choice, and as long as they're in the cache you'll get away with it.

and from [2]:

0. evil.example hosts evil.js, <script src=evil.js integrity=foo>.

1. you visit evil.example and the browser stores evil.js with the cache key "foo".

2. you visit victim.example which has an XSS vulnerability, but victim.example thinks it is safe because it uses Content Security Policy and does not allow inline scripts or scripts form evil domains.

3. the XSS attack is loading <script src=www.victim.example/evil.js hash=foo>

4. the browser detects that "foo" is a known hash key and loads the evil.js from cache. Thinking that the file is hosted on victim.example - when the file is in fact not even present.

5. the evil.js script executes in the context of victim.example, even though they use a Content Security Policy to prevent XSS from being exploitable.

[1] https://news.ycombinator.com/item?id=10310594 [2] https://news.ycombinator.com/item?id=10311555 [3] https://news.ycombinator.com/item?id=10312333

(parts first posted here: https://news.ycombinator.com/item?id=13493407#13495482)

It seems like the problem is that you need to verify that the file actually exists there with the specified hash, but that isn't the same as having to download it. Is there a way to ask the server for just the hash of a file? You would still have the round trip to the server, but it would be a request for a 32 byte content hash rather than several orders of magnitude more data than that.

reply


One of the replies to my similar post in the earlier thread [5] was from btrask who proposes a similar scheme, using a manifest placed in .well-known/, on the issue tracker for the W3C SRI spec [6]. The conversation is still ongoing, but see that for advantages and drawbacks, as well as other proposed solutions (and/or join the conversation!)

[5] https://news.ycombinator.com/item?id=13495482 [6] https://github.com/w3c/webappsec-subresource-integrity/issue...

More people should use CSP. It doesn't mean you have to stop worrying about XSS entirely, but it means that when it happens CSP can change it from being "a potentially wormable exploit that could be used to leak many users' data and kill your company" to "slightly annoying way the page formatting can be broken".

> It'd be cool if the browser used this to allow cross-origin caching as well.

As a caveat, there's info leaking here depending on whether the cache hits/misses, so this would need to be opt-in from the cache source, e.g. You set up subresource integrity and also say "allow other domains to load this resource from the cache."

Call it subresource sharing?

Edit: opt-in would need to be on both "sides" (sharer and sharee).

This still wouldnt be enough, because you could still target the unique mix of script/script versions some specific site has, and have a high chance of being accurate, or at least high enough for statistical purposes.

reply


Why is it insufficient?

If the site doesn't want to leak that information, it doesn't participate in cache sharing. Since sharing is opt-in, sites won't unknowingly leak this information.

Edit: whoops. I see what you mean. I missed an edit while modifying an earlier draft and left the opt-in only on one side, the sharer.

Given the accumulation of scripts from many sites it might work out alright, those specific versions could come from anywhere - not like only 1 site around uses a specific version of jquery or something. It might be enough, but would need testing to prove it out either way.

Not just CDN, there's benefits to rolling out SRI for lots of your third parties.

Your stripe js, scary ad networks js, front-end analytics companies. SRI is really neat and helps protect yourself from these many 3rd parties being pwned.

SRI may be a double edged sword. What if stripe fixes a bug and rolls a new version of their JS? Your page stops accepting payments. That's bad.

If jQuery is compromised you'll detect it and download from different location but for stripe there is no fallback.

reply


Well, if Stripe wants you to stop accepting payments, you will. They already can take the resource offline, I don't see how this is a new/additional problem.

If they want you to stay up-to-date, they'll provide a piece of PHP/Node that emits the latest URL/SRI tag.

reply


You, as the web developer, want to start using subresource-integrity. Stripe, as a depended-upon 3rd party, has not yet bought in to subresource-integrity hype-train.

Stripe rolls out a fix for a security issue or other bug in their JS. This breaks your subresource-integrity check. The didn't want you to stop accepting payments, they wanted to fix a vuln.

That hampers the usefulness of using subresource-integrity on 3rd-party resources today (which is what yeldarb suggested). Perhaps in the future the 3rd party would provide a script that emits the URL/SRI, but that isn't today.

  the 3rd party would provide a script that emits the URL/SRI
And we're back to square one - we can't trust _that_ script to not get pwned

> If they want you to stay up-to-date, they'll provide a piece of PHP/Node that emits the latest URL/SRI tag.

Then how do you verify the integrity the integrity for the tag?

Except that when the third party changes that script you'll stop loading it. Unless they adopt strict versioning in their files you'll have to be careful.

I thought those 3rd-party links are just to make it easier to get started. I've been checking Javascript files into my project repository, since it seemed unwise to add N different points of failure for no reason.

And anything important like your financial provider is usually very risk-averse to breaking changes, and should give plenty of notice for an update. And if you're including a hash, you don't care about automatic updates anyways.

I can understand trusting one CDN for performance reasons. But do people really add so many different dependencies on their sites? Should I be doing that instead?

"An important side note is that for Subresource Integrity to work, the CDN must support Cross-Origin Resource Sharing (CORS)."

This doesn't make sense to me. Why shouldn't I be able to perform integrity checking on resources from non-CORS domains?

Attackers could otherwise verify that resources on private networks or retrievable only with the victim's cookies have certain content.

See, e.g., <https://github.com/w3c/webappsec/issues/418> for some broader discussion.

Thanks for the link, but the closing '>' should not be part of it.

That's a bug in ycombinator's linkification code. A quite frustrating one, since <> is _the_ standard way to delimit URLs in plaintext (going back to earlier than section 2.2 of RFC 1738, back in 1994!), so having linkifiers that still fail to respect it is really unfortunate.

Information leakage? Just guessing

See also Content-Security-Policy require-sri-for

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...

I wonder if it would be a good idea that if the SRI detected a modified javascript file that a warning should be presented to a web user when this occurs?

The title should have a "(2015)" suffix.

Date tags are only relevant when the information they contain is of a time sensitive nature. This article would say exactly the same thing if it was written today.

Thanks! We've updated the title.

