[nadaviv]

In a project I'm working on [1], I'm planning to provide a browser extension that verifies the source code is digitally signed and that it matches the source code published on GitHub. I believe this creates a pretty good security model for a web-based app, even more so than most desktop programs.

Some more information from the security page [2]:

The browser extension provides improved security by verifying the integrity of the files served by the server. The verification is done using two factors:

- Cold storage signature verification: In addition to SSL, static files (html/css/javascript) are signed using standard Bitcoin message signatures, with a private key that is stored offline and encrypted. This ensures that the content served from the webserver was not tampered with by a third party.

- Comparing against the code on GitHub repository: The source code from the GitHub repository is built on Travis-CI and the resulting hashes are published publicly on Travis's job page. The extension ensures that the content served by the webserver matches the open-source repository on GitHub.

If an attacker gains control over the web server, he still only has access to information the web server already knows (which is very little). To get sensitive information, he would have to modify the client-side code to send back more data to the server.

For an attacker to successfully mount such an attack against someone with the browser extension, he would have to:

- Gain access to the web server.

- Gain access to the personal computer of a developer with commit access to the GitHub repository. [3]

- Commit his changes to the public GitHub repository, where they can be seen by anyone. [3]

- Gain physical access to the offline machine with the private key and know the passphrase used to encrypt it.

[1] https://www.bitrated.com/

[2] https://www.bitrated.com/security.html#browser-extension

[3] That's assuming that GitHub and Travis-CI are themselves secured. Gaining access to any of them would make those steps unnecessary.

[Sanddancer]

So what happens when github goes down? I'd argue a better source for this sort of thing would be to put the hash in dns, either directly in a txt record, or using hacks involving A or AAAA records. Your nameserver almost certainly has more security than your github repo.

[eric_bullington]

That would be really sweet if you could access dns directly in client-side Javascript, particularly given the existance of DNSSEC (great for bootstrapping trust).

Alas, client-side JavaScript doesn't speak DNS. You'd have to go through a server, which would mean you'd lose anything you might gain.

[trhway]

>The source code from the GitHub repository is built on Travis-CI and the resulting hashes are published publicly on Travis's job page.

so, the NSA needs only to publish their hashes here (or send them only to specific clients or insert them MTM style).

[zAy0LfpBZLC8mAC]

So, you have just made GitHub the trusted third party for the world? After the X.509 CAs have so successfully protected us all these years without a single compromise or other security blunder and nobody is working on ways to get rid of those single points of failure, especially not the people behind certificate patrol or monkey sphere, that must be the best security model ever!