|
|
|
|
|
|
by theandrewbailey
3797 days ago
|
|
|
If you're concerned about things getting tampered with, encryption guarantees that it won't. With your suggestion of hashes + HTTP, if it is tampered with, the page silently won't work as intended. With hashes + HTTPS, loud errors happen when things are tampered with. And because it's static content, deliver over HTTPS once and cache the hell out of it. |
|
|
Sure, HTTPS protects against tampering, but its not the only way. The parent comment seemed interested in ways of solving the same problem without the CPU overhead of encryption (whether this is a valid concern or not is a separate question).
In fact, hashes offer superior protection when loading resources via a CDN since you don't need to trust that the CDN won't tamper with things.
> With your suggestion of hashes + HTTP, if it is tampered with, the page silently won't work as intended.
Why? This would require browser support and it could whine about mismatched hashes as much as it wants.
---
I'm not seriously proposing that we should do this, but I find it interesting to think about the different ways that things can be done.