On Dec 10, 2014 9:45 PM, "Joel Weinberger" <j...@chromium.org> wrote:
>
> Hello security-dev'ers. Over in spec land, we've been pushing towards a version 1 subresource integrity spec. Most of what we've come to hasn't been too controversial (as we've taken out a lot of the controversial aspects, such as caching).
>
> However, one major hurdle exists: should integrity only be enforced on sites that are carried over authenticated origins? For example, can http://foobar.com have a <script> tag with an integrity attribute? (Important note: it is not controversial that the resources that integrity values point to must be over authenticated origins).
>
> Chromium and Mozilla so far have had different approaches to this. Namely, we've publicly argued for a requirement that SRI only work on authenticated origins as we believe integrity is only meaningful if carried over a channel that itself provides integrity.
I must admit, I'm personally a little mixed on this, though I won't rehash the debate here. As one of the staunchest supports of HTTPS-all-the-things, I can't help but feel like I don't (fully) get this argument.
> Mozilla, however, feels that it still has value and we shouldn't neuter an API that might provide value. The compromise that Freddy Braun of Mozilla (my co-editor on the spec, along with Mike West of Google and Dev Akhawe of Dropbox) proposed is language like, "a user-agent MAY want to enable SRI support only on authenticated origins" which would allow both of our approaches.
>
> What do you all think? I'm particularly interested in the thoughts of Chromium contributors here, since this relates to policy that we've been trying to encourage for a while (HTTPS for new features). Personally, I think this is a pretty good compromise as it allows us to keep our implementation and approach but allows for Mozilla and other user-agents to be more flexible.
>
This is effectively the compromise the WebCrypto WG reached, and I personally consider it deeply unsatisfying and misleading for web developers.
I realize the cases are nuanced - the use of keys in WebCrypto is unquestionably unsafe for any purpose other than device tracking, while I imagine the argument for SRI+HTTP is that it protects you against hosting compromise, but not ISP compromise.
I think you need to carefully consider what the effect on developers will be. We already see no shortage of developers encountering Chrome's restriction for HTTPS after testing in Firefox. While deeply disturbing on its own right (these developers are surprised to find HTTP is not a secure script delivery mechanism, yet are busy implementing crypto systems), the biggest concern is that there's no place they can go and see what the "spec added" requirements are.
So I guess I'm saying there's precedent, but you should be very careful before assuming that precedent is good precedent (especially if from the Web Crypto WG).
I would also encourage you to be explicit in your specification exactly what should happen if a UA opts to make the MAY a MUST. Using a sentence as you described leaves great ambiguity (as you note). Instead, work that decision into every normative algorithm you have and define what must happen.
I really don't understand why anyone would want to make HTTP appear,
falsely, to continue to be acceptable. It makes even less sense to
make the HTTPS guarantee ambiguous. The combination of server
authentication, data integrity, and data confidentiality, for all
resources, is the *bare* *minimum*.
We should be well past this, and moving on to discuss such things as
encrypting SNI/other parts of the handshake, making traffic analysis
more expensive, improvements to authentication like getting rid of
bearer tokens, and so on. We should be celebrating with scotch and ice
cream as Certificate Transparency rolls out to 100%...
I can't believe we're still having to fight to maintain the bare
minimum. It's almost 2015.
On Thu, Dec 11, 2014 at 11:25 AM, Ryan Sleevi <rsl...@chromium.org> wrote:
> In that model, if I'm the author of http://foo.com and I want to source a
> resource from http://bar.com, and I want to ensure that resource has not
> been modified by the host, then SRI benefits and provides a net-positive
> security benefit.
So the # of entities that could mangle the resource goes from 2**20 to
2**20 - 1. De minimis non curat lex securitatis.
So the # of entities that could mangle the resource goes from 2**20 to
2**20 - 1. De minimis non curat lex securitatis.
Relatedly, should we stop offering CSP for HTTP hosts? Should we have never offered it in the first place?
On Thu, Dec 11, 2014 at 1:06 PM, Michal Zalewski <lca...@google.com> wrote:
> remove barriers to entry, and keep end users informed about the risks (that
> probably includes an overhaul of the address bar UI for HTTP sites).
Hopefully I will have something to announce about that today or
tomorrow, in fact.
> Perhaps there is merit to a more radical view, and perhaps we simply see no
> room for HTTP sites on the Internet; but if that's the case, we should face
> this head-on and perhaps simply announce that plain-text HTTP will be put
> behind an interstitial or dropped in mainstream browsers in a couple of
> years.
Yes.
> But short of doing that, taking away features that are legitimately useful
> to HTTP sites and provide measurable security benefits seems like the wrong
> route to me.
I would agree, but I'm just not convinced that SRI for HTTP is useful
enough. It just looks reallllly marginal to me.
On Dec 12, 2014 9:37 AM, "Justin Schuh" <jsc...@chromium.org> wrote:
>
> I hate to come across as defeatist, but it seems like the discussion at this point has taken SRI in the direction of minimum possible utility. I'm highly dubious there's much legitimate demand for SRI beyond the desire to preserve the integrity chain while allowing intermediary caching (i.e. by bootstrapping from HTTPS and allowing resource fetches over HTTP).
That isn't what the spec says. It sounds like your defeatism is to encourage and prolong mixed content? A key part of the discussions has been to avoid that.
> I also strongly doubt that the rogue CDN over HTTPS scenario is something any significant number of sites would even consider (much less implement).
That is the entire value proposition for SRI at this time.
>
> So, here's my suggestions (which go beyond the original question, but that's already veered off the rails anyway):
> Do not allow SRI to bootstrap from insecure origins (e.g. from HTTPS). This one isn't a dealbreaker, but it should be a no-brainer. The whole point of the standard is to provide integrity, and if you don't have integrity when you bootstrap then you can't magically get it at any point later in the chain. If we want to allow bootstrapping over channels lacking integrity, then it should really be under another name.
You're treating the intermediaries as hostile, except the point of this thread has been that SRI does nothing for hostile intermediaries, nor should it.
In a hostile intermediary case, I agree that HTTP->HTTP and HTTP->HTTPS are fundamentally broken. HTTPS->HTTP prolongs the use of optionally blockable content, and only helps the <img> and <video> tags (the two remaining areas).
However, for HTTPS->HTTPS, aka the state of the world we want to bring about, it provides zero value, because HTTPS already dealt with the intermediary.
Whereas if the target is hostile CDN, every single direction has value.
That's why I say if it is hostile intermediary (which the intent to implement said it wasn't), then it's pointless and we shouldn't do it. But it isn't - it is CDN.
> Allow SRI resource requests to insecure origins (e.g. to HTTP). I feel like it should be painfully obvious that this is the primary use case for the feature. Site operators want to be able to support intermediary caching of public, long-lived resources without giving up integrity. Instead, it seems like we're telling them they have to either operate infrastructure at the scale of Google or shell out money to CDNs to get edge caching. Worse, in the developing world intermediary caching is often the only thing available, and the upstream pipe is very small to begin with. So, what we're proposing at the moment is to just leave them out in the cold entirely, which seems like a pretty terrible idea.
> Use the mixed-display indicator to identify SRI from secure to insecure origins (e.g. from HTTPS to HTTP). This is already one of the attributes that the mixed-display indicator represents anyway. So adding into that bucket actually makes sense. And it's a good transitional move to get us to a world where transport integrity is the baseline, and anything less is labelled as bad.
This is... redundant? It is already there by definition of HTTPS including HTTP resources. You're not penalizing anything here, nor adding value to the UI.
> So, I actually see value in
> HTTP -> HTTP SRI. It doesn't solve all problems, but it makes a quantitative
> difference - and if anything, breaking the HTTP/HTTPS symmetry makes it more
> confusing and fragile.
The problem here is middleboxes tampering with the
subresource--attempting to minify CSS, attempting to strip out
malware-ish JS code, transcoding images, etc.
On Dec 12, 2014 10:47 PM, "Brian Smith" <br...@briansmith.org> wrote:
>
> 'Michal Zalewski' via Security-dev <securi...@chromium.org> wrote:
> > In some of the arguably most desirable use cases (ads), it probably
> > won't work because nobody will want to lock into a specific version of the
> > ad-serving script and have it break a week later. On top of that, the ad
> > scripts will load other scripts and frames, and I can't imagine advertisers
> > putting a lot of engineering effort into designing some sort of a "trusted
> > bootstrap" system that progressively verifies everything without providing a
> > good mechanism to make updates or revoke bad scripts.
>
> I don't think ads and analytics are reasonable use cases for SRI for
> the reasons that Michal cited, even though they are one of the
> official use cases listed in the SRI draft. I think the solution to
> that is just to delete that use case from the SRI draft.
>
> > The "authenticate your own scripts hosted at a CDN" use case is somewhat
> > compelling. It would be something that at least high-profile sites like
> > Facebook would probably want to consider, although it adds the need for some
> > non-trivial manual maintenance or templating infrastructure. I think that
> > virtually all of these use cases would be same-protocol.
>
> Expanding this beyond what's done today:
>
> 1. GMail in Syria. Wouldn't it be great if GMail users in Syria could
> fetch the initial page from a server outside of Syria, and then
> securely (via SRI) fetch all the scripts and CSS and boilerplate
> images from within Syria, so that the GMail UI still loads pretty
> fast, without having to trust any servers in Syria?
>
Not if it means giving up confidentiality. GMail is HTTPS; your case only becomes compelling in a world of mixed content, which is a bad world that should go away.
> 2. Youtube in the US: Would't it be great to have all the subresources
> for the Youtube app cached in a CDN with servers that are distributed
> across every neighborhood in the US, such that latency is close to
> 0ms, but there's practically zero physical security for the servers,
> yet Youtube still stays 100% secure as long as the initial page load
> is from a trusted server?
You're conflating security with integrity, and in the process, intentionally giving up authentication and confidentiality.
This is not a good world to be in. If that is the goal of SRI - which I'm assured to no end that it is not - then we shouldn't be implementing it.
In both cases, these reveal to the network what the user is doing, explicitly. This is hardly a desirable state; we should protect the user's confidentiality, and give them a choice if they want to degrade that. In practice, this can only mean blocking the content and checking for user consent - the same as active mixed content.
The presence and prevalence of passive mixed content provides a huge boon for user tracking by passive intermediaries - an attack that should be defended against, not celebrated.
>
> 3. Wouldn't it be great for every site in the world to be able to load
> jquery from https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js
> without having to trust the ajax.googleapis.com server?
This is the only case where I am 100% on board with you - and it is ALL that I think SRI can supply.
That sounds like preventing a feature out of fear and superstition than solid technical ground. Said middleboxes can mess with any of the HTTP loaded resources, so HTTPS->HTTP does nothing to mitigate this, thus shouldn't be required for that threat model.
>
> The use cases for HTTPS->HTTPS subresources are really compelling and
> it seems feasible to get it working well for HTTPS->HTTPS. A
> reasonable strategy is to verify that HTTPS->HTTPS works first, and
> then eventually try to make HTTP->HTTPS and/or HTTP->HTTP work too.
> The prioritization could even rationally be:
>
> 1. Make SRI for for HTTPS->HTTPS.
> 2. Do a bunch of other stuff to make the web awesome.
> 3. Make SRI work for other cases.
>
> I don't see that as "hostage taking" but simply as recognizing that
> not every part of SRI has the same priority.
>
> Cheers,
> Brian
It is an artificial limitation based on superstition. No one will be able to prove your superstition right or wrong until they experiment. There will be zero incentive for sites to experiment if browsers don't implement it. So it makes far more sense under this model of something maybe-breaking in wild to actually treat it like any other web feature and release it. Site operators are plenty capable of watching for issues and errors - their incentives are aligned to do just that. There's no new data browsers will gain in the interim until they just implement it; the prioritization is unnecessary and artificial.
I'm going to go out on a limb here and try to summarize the various positions that have been listed on this thread, of which I think there are basically 3:
- We should support SRI on HTTP sites and pointing towards HTTP resources. SRI should only be used for enforcing the integrity of the end resource thus the threat model has nothing to do with the transport, so it doesn't matter if the transport of the integrity itself or the resource is unauthenticated.
- We should support SRI on HTTPS sites only but they may point towards HTTP resources. The utility of SRI is gained not from enforcing the integrity of end resources, but from enforcing that the transport has integrity (albeit without confidentiality), thus as long as the browser is ensured of getting the SRI integrity value over an authenticated channel, it can enforce that its resources are what they expect, even if they're not over HTTPS. Since not all sites and CDNs will go to HTTPS, this can at least provide integrity (without confidentiality), and something is better than nothing.
- We should support SRI only on HTTPS sites and only pointing to HTTPS resources. Similar to (1), SRI should only be used for enforcing the integrity of end resources, since we sites that want transport security should simply use HTTPS. However, because we're talking about providing integrity guarantees, the developer can never know if the guarantee they are trying to provide actually makes it to the client, and we shouldn't pretend like it does by allowing SRI over HTTP, because that will just lead to developer confusion.
Notably, Mozilla's position that SRI should be allowed on HTTP sites but only pointing to HTTPS resources is not reflected here, so, Freddy, if you want to jump in and give that argument, go for it :-)
I have given my lgtm to Mike's CL to remove the HTTPS restrictions (https://codereview.chromium.org/803773002). I am convinced that we will not come to a consensus, and this seems like an unsatisfying change that most closely matches the most opinions. On a personal level, while I disagree with this, Mike has also convinced me that SRI is just another form of content policy, and if we're not going to require CSP over HTTPS-only, it doesn't make sense to do it here, either.--Joel
On Thu, Dec 18, 2014 at 10:46 AM, Joel Weinberger <j...@chromium.org> wrote:
> I have given my lgtm to Mike's CL to remove the HTTPS restrictions
> (https://codereview.chromium.org/803773002). I am convinced that we will not
> come to a consensus, and this seems like an unsatisfying change that most
> closely matches the most opinions. On a personal level, while I disagree
> with this, Mike has also convinced me that SRI is just another form of
> content policy, and if we're not going to require CSP over HTTPS-only, it
> doesn't make sense to do it here, either.
Soon we'll have people asking to treat SRI'd mixed content as
non-mixed content, or to treat HTTP pages with SRI'd subresources as
"secure", and so on. And we might have a hard time holding the sanity
line, because SRI in non-secure contexts blurs the line. Rest assured,
I will hold that line. But it's not going to be fun.
The basic problem is that we cannot effectively communicate security
nuance in the UX of a mainstream product whose audience is,
ultimately, every single person on the planet.
Therefore, when we have to "round off" the security message to make it
simpler, we should always round *up* — never down. If people have a
hard time knowing if they need integrity or confidentiality or both,
just give them both all the time.
On Thu, Dec 18, 2014 at 8:53 PM, Chris Palmer <pal...@google.com> wrote:On Thu, Dec 18, 2014 at 10:46 AM, Joel Weinberger <j...@chromium.org> wrote:
> I have given my lgtm to Mike's CL to remove the HTTPS restrictions
> (https://codereview.chromium.org/803773002). I am convinced that we will not
> come to a consensus, and this seems like an unsatisfying change that most
> closely matches the most opinions. On a personal level, while I disagree
> with this, Mike has also convinced me that SRI is just another form of
> content policy, and if we're not going to require CSP over HTTPS-only, it
> doesn't make sense to do it here, either.Hrm. This makes it sound like I somehow forced you, against your will, to approve the change. I certainly argued for it, and it seemed like you agreed with me. If you disagree with the change, I'd suggest not LGTMing it. I'll leave it up for a while in the hopes that someone will be willing to more strongly endorse the change. If no one comments through January when I get back from vacation, I'll land it. :)
There was, but it was from Joel's original message.
To restate Freddy: To understand Moz's take, go with Tanvi's earlier replies. :)
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.