Hacker News new | ask | show | jobs
by buboard 2381 days ago
> RFC 3986 goes out of it's way

the RFC uses the word "host" and not "signer". It also says that the "host" is intented to be looked up in some service registry, and there is no such thing for arbitrary signers.

> exactly and concretely, is that expectation

One of the common security advice banks used to give is "check your browser address that you are in our server"

> just why would they need signed exchanges

with signed exchanges they can fool amp to cache the page long after it has been deleted from the server
2 comments
jsnell 2381 days ago
The RFC explicitly says that "host" doesn't necessarily mean an actual host and you still insist the opposite. So I don't really know what to say.

> One of the common security advice banks used to give is "check your browser address that you are in our server"

So you say that everyday users have an expectation that they're "in the bank's server"? That doesn't seem very concrete, since that could mean anything. Surely there is some kind of expectation they have about actual behavior or property. Something that will happen / can't happen right now, but the opposite with signed exchanges.

> Anyone who has the file can intercept the form data from that page now - a complete phishing attack.

Uhh... And just how would they do that? They can't inject anything into the page, and they can't modify the page. How do you figure they force the browser to submit the form to the wrong server?

link
buboard 2381 days ago
> They can't inject anything into the page

assuming that someone finds a way to sign a malicious Html page (e.g. by sneaking into the editors office) they can serve it from anywhere, and the browser will pretend it's coming from the bank

link
echeese 2381 days ago
If someone's able to get the signing key you've already failed at security.
link
danans 2381 days ago
> One of the common security advice banks used to give is "check your browser address that you are in our server"

" in our server" is a simplification of the technical explanation: "signed by our computers using our private keys before delivery to you". That is still maintained in the case of signed content exchange, but instead the transport function is provided by a different server.

It's not much different than, i.e. signing a compiled app with your private keys before uploading it to an app store. Such apps also use hosts to identify themselves and their content, even though they are delivered via app-store mechanisms.

link
buboard 2381 days ago
> signed by our computers using our private keys before delivery to you

Please try to explain that to an everyday grandma.

I still dont' see how it's an improvement. The file can be masqueraded by an arbitrary server god knows where and still be served as valid to me. Anyone who has the file can intercept the form data from that page now - a complete phishing attack. There are so many things that can go horribly wrong it just makes one wonder what's wrong with googlers these days: https://blog.intelx.io/2019/04/15/a-new-type-of-http-client-...

link