Skip to content

Latest commit

 

History

History
178 lines (130 loc) · 4.09 KB

2017-07-SRI.md

File metadata and controls

178 lines (130 loc) · 4.09 KB
Raw

Are these my assets?

Lightning Talk about verification of assets

Why should I care of that?

Every web app needs some assets

Are you sure, that the assets received by the browser are the same your server has sent?

Is it your problem as developer to ensure that?

Scenario 1

Bob sends encrypted data to Alice

Storing the data on server

Storing the data on server

Scenario 1

Bob sends encrypted data to Alice

Delivery to Alice

Delivery to Alice

Scenario 1

Bob sends encrypted data to Alice

Alice needs a crypto lib to decode the data

Alice needs a crypto lib to decode the data

Scenario 1

Bob sends encrypted data to Alice

Malory injects a function, to get a copy of the secret keys

Malory injects a function, to get a copy of the secret keys

Scenario 2

Alice uses online banking

Alice uses online banking

 

Scenario 2

Alice uses online banking

Malory injects code to change text elements and inputs

Malory injects code to change text elements and inputs

S***

What can we do to avoid that?

 

 

S***

What can we do to avoid that?

Subresource Integrity (SRI)

W3C Recommendation, 23.06.2016

S***

What can we do to avoid that?

Subresource Integrity (SRI)

W3C Recommendation, 23.06.2016

Can it be used?

<html>
    <head>
        <title>Page</title>
        <link 
			rel="stylesheet" 
			href="style.css" 
        />
    </head>
    <body>
        <script 
            src="script.js" 
        ></script>
    </body>
</html>

ToDo:

1. Generate hashsums for files

› cat script.js | openssl dgst -sha512 -binary | openssl enc -base64 -A
sG+Ez27OjzA8ygZk0s7+BAG/5c/RgAXbLZjcDRHwe+PJiGJ/KCoh4S7bO+SS6jcKxjmtPcKM9n+5OtR0LE3MCA==

2. Submit hashsum to browser

???

<html>
    <head>
        <title>Page</title>
        <link 
			rel="stylesheet" 
			href="style.css" 
            crossorigin="anonymous" 
            integrity="sha512-8JD/tA1sY91TVQzWWK8fo0dkt90/4CNAOSdz06fkgtO0vzrzxExqC8OED8GCqfz6SBsa2mC9TvU7OK+s6atY5Q==" 
        />
    </head>
    <body>
        <script 
            src="script.js" 
            crossorigin="anonymous" 
            integrity="sha512-sG+Ez27OjzA8ygZk0s7+BAG/5c/RgAXbLZjcDRHwe+PJiGJ/KCoh4S7bO+SS6jcKxjmtPcKM9n+5OtR0LE3MCA=="
        ></script>
    </body>
</html>
<html>
    <head>
        <title>Page</title>
        <link 
			rel="stylesheet" 
			href="style.css" 
            crossorigin="anonymous" 
            integrity="sha512-8JD/tA1sY91TVQzWWK8fo0dkt90/4CNAOSdz06fkgtO0vzrzxExqC8OED8GCqfz6SBsa2mC9TvU7OK+s6atY5Q==" 
        />
    </head>
    <body>
        <script 
            src="script.js" 
            crossorigin="anonymous" 
            integrity="sha384-r3CXcejLa9Rhj9dcft/KmEbwYzCdCtYEwsohRGLdIOOipftyZh8Um2R8bRGv+PMR sha512-sG+Ez27OjzA8ygZk0s7+BAG/5c/RgAXbLZjcDRHwe+PJiGJ/KCoh4S7bO+SS6jcKxjmtPcKM9n+5OtR0LE3MCA=="
        ></script>
    </body>
</html>

DEMO

Scenario 2

Alice uses online banking

Malory injects code to change text elements and inputs

Malory injects code to change text elements and inputs

Thanks