Hacker News new | ask | show | jobs
by yeldarb 4301 days ago
That would be really neat. It could also solve a security issue with public CDNs.

Right now there's nothing to stop a malicious CDN from changing the content of an included script on your site without you knowing it.

With a hash tag like this the browser could refuse to load the file or warn the user if it didn't match.
2 comments
sp332 4301 days ago
You could have a small JS snippet on the page (served from your own domain) that checks the hash of the JS loaded from a CDN before running it.
link
bduerst 4301 days ago
That would work well for most, until the /jquery-latest.min.js or whatever is updated to the newest, latest release. But that would also be a problem with the browser based solution.

The question then is - how do you distribute the trusted hash?

Maybe there should be an independent organization or website that serves trusted hashes for common or registered libraries and files.

link
sp332 4301 days ago
Right, you can't verify hashes for resources that change. You'd have to link to a specific version that everyone can agree on. As for trusting the hash itself - I guess someone you trust (probably the author) would have to sign the hash, then you could verify the signature.
link
bduerst 4301 days ago
As long as the author isn't serving the signed hash via the same CDN as the files. Then there's the logistics problem of having to looking in different hash locations for each file.

I'm just thinking of some libraries that could be security sensitive, and thus using latest releases on day 1 is the most important. I surmise these would also be the same libraries you would want to use this type of authentication on.

link
sp332 4301 days ago
If an attacker changes the signed copy on the CDN, the signature check will fail.
link
benologist 4301 days ago
Maybe browsers should ship with these libraries so nobody's relying on every single random website to be impenetrable.
link
TheLoneWolfling 4301 days ago
Then you end up with the question of "how do you decide what libraries to include"
link
bduerst 4301 days ago
Exactly.

Then you create an entirely new, fragmented ecosystem like the current html and css web standards, adding more complexity and layers to front-end web development.

Best that the browsers stay agnostic in that regard.

link
benologist 4301 days ago
http://trends.builtwith.com/javascript

All the browser companies are in a particularly good position to collect this information too.

link