Hacker News new | ask | show | jobs
by cbr 3923 days ago 

    Widespread adoption of Subresource Integrity could
    have largely prevented the Great Cannon attack
    earlier this year.
Sorry, it wouldn't have. From the CitizenLab report [1] on the Great Cannon attacks:

    In the attack on GitHub and GreatFire.org, the GC
    intercepted traffic sent to Baidu infrastructure
    servers that host commonly used analytics, social,
    or advertising scripts.  If the GC saw a request
    for certain Javascript files on one of these servers,
    it appeared to probabilistically take one of two
    actions: it either passed the request onto Baidu’s
    servers unmolested (roughly 98.25% of the time),
    or it dropped the request before it reached Baidu
    and instead sent a malicious script back to the
    requesting user (roughly 1.75% of the time).  In
    this case, the requesting user is an individual
    outside China browsing a website making use of a
    Baidu infrastructure server (e.g., a website with
    ads served by Baidu’s ad network).  The malicious
    script enlisted the requesting user as an unwitting
    participant in the DDoS attack against GreatFire.org
    and GitHub.
So the idea is someone runs a site with:

    <script src="http://baidu.com/ads.js">
When visitors request these scripts the request passes through the "Great Cannon" which 1.75% of the time serves a different script instead. That malicious script makes lots of requests to the victim sites, and they're overloaded.

To prevent this sort of attack with SRI you would need to change your page to look like:

    <script src="http://baidu.com/ads.js"
            integrity="hash of the real ads.js">
The problem is, Baidu isn't going to be willing to commit to always serving the same ads js: they need to be able to make upgrades.

SRI is useful in the case where the entity producing the html is referencing js that they've uploaded to a third party CDN or js where they choose what version to run, but not in the normal "include a snippet and we'll do stuff to your page" model.

(To block the Great Cannon there, what would have worked would be moving the js serving to HTTPS.)

[1] https://citizenlab.org/2015/04/chinas-great-cannon/