SXG to serve signed web apps
Thomas Guillory
Hello Team,
I’m Thomas, Software Engineer at Dashlane (https://www.dashlane.com).
For a few years now we’ve been looking for a way to ship our online web application (https://app.dashlane.com) signed exactly like our other apps (Windows, Android, …). The goal would be to protect our users against a compromise of our servers or CDN. This is very important in our security model: the data of our users is decrypted locally on user computers (“zero-knowledge architecture”).
Your new Signed HTTP Exchange technology sounds very promising. We’ve been trying it with success but something is missing to really cover our use case. The main issue is that there is no visual cue for the user to know that the app served has been signed. We understand that the main use case for which SXG has been designed for is not exactly our use case and you might not want the user to see that SXG is in action. But it’s a pity: with this new technology we are really close of being able to serve signed application.
Do you think this is an addition that could be considered? If not would you have any other advice to help us serve secure applications?
Thanks,
|
|
Thomas Guillory |
|
Senior Engineering Manager |
|
|
|
|
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
Jeffrey Yasskin
--
You received this message because you are subscribed to the Google Groups "WebPackage-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webpackage-de...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/8F1DD8FA-DBDA-4F41-8FD4-BB2FFDC65031%40dashlane.com.
Thomas Guillory
Thanks Jeffrey for your quick answer.
That’s good to hear that you are considering this in your goals. We are willing to help, so if there is anything we can do to help this effort, please tell us.
Enjoy your vacations 😊
|
|
Thomas Guillory |
|
Senior Engineering Manager |
|
|
|
|
From: Jeffrey Yasskin <jyas...@chromium.org>
Date: Wednesday 12 June 2019 at 03:27
To: Thomas Guillory <Thomas....@dashlane.com>
Cc: "webpack...@chromium.org" <webpack...@chromium.org>
Subject: Re: SXG to serve signed web apps
I'm on vacation until June 19, so if I don't get back to you with more details shortly after that, please send a reminder. The short answer is that this is absolutely one of our goals, probably with Bundles in addition to SXG. It's currently not in the top tier of priorities, but that's partially based on how many people have expressed interest in each use case, so your interest will help.
I currently think the mechanism would probably be similar to Public Key Pinning, which got removed from the platform as a footgun, so when designing it, we'll have to think about how to help developers avoid hurting themselves.
To add a UI marker for a signed app, we'd need a clear, user-understandable rule for how that UI is earned and what it means. I can imagine a few options, but the history of EV certificates isn't hopeful in this area.
Jeffrey
On Tue, Jun 11, 2019 at 9:00 PM Thomas Guillory <Thomas....@dashlane.com> wrote:
Hello Team,
I’m Thomas, Software Engineer at Dashlane (https://www.dashlane.com).
For a few years now we’ve been looking for a way to ship our online web application (https://app.dashlane.com) signed exactly like our other apps (Windows, Android, …). The goal would be to protect our users against a compromise of our servers or CDN. This is very important in our security model: the data of our users is decrypted locally on user computers (“zero-knowledge architecture”).
Your new Signed HTTP Exchange technology sounds very promising. We’ve been trying it with success but something is missing to really cover our use case. The main issue is that there is no visual cue for the user to know that the app served has been signed. We understand that the main use case for which SXG has been designed for is not exactly our use case and you might not want the user to see that SXG is in action. But it’s a pity: with this new technology we are really close of being able to serve signed application.
Do you think this is an addition that could be considered? If not would you have any other advice to help us serve secure applications?
Thanks,
Error! Filename not specified.
Thomas GuilloryError! Filename not specified.Error! Filename not specified.
Senior Engineering Manager
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
--
You received this message because you are subscribed to the Google Groups "WebPackage-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webpackage-de...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/8F1DD8FA-DBDA-4F41-8FD4-BB2FFDC65031%40dashlane.com.
Thomas Guillory
Hi Jeffrey,
I hope you enjoyed your vacations 😊
We are excited by your previous answer on the topic of signed web apps, it is aligned with our own vision. We are willing to contribute if possible. Is there any way we can help to progress on this topic?
From: Jeffrey Yasskin <jyas...@chromium.org>
Date: Wednesday 12 June 2019 at 03:27
To: Thomas Guillory <Thomas....@dashlane.com>
Cc: "webpack...@chromium.org" <webpack...@chromium.org>
Subject: Re: SXG to serve signed web apps
I'm on vacation until June 19, so if I don't get back to you with more details shortly after that, please send a reminder. The short answer is that this is absolutely one of our goals, probably with Bundles in addition to SXG. It's currently not in the top tier of priorities, but that's partially based on how many people have expressed interest in each use case, so your interest will help.
I currently think the mechanism would probably be similar to Public Key Pinning, which got removed from the platform as a footgun, so when designing it, we'll have to think about how to help developers avoid hurting themselves.
To add a UI marker for a signed app, we'd need a clear, user-understandable rule for how that UI is earned and what it means. I can imagine a few options, but the history of EV certificates isn't hopeful in this area.
Jeffrey
On Tue, Jun 11, 2019 at 9:00 PM Thomas Guillory <Thomas....@dashlane.com> wrote:
Hello Team,
I’m Thomas, Software Engineer at Dashlane (https://www.dashlane.com).
For a few years now we’ve been looking for a way to ship our online web application (https://app.dashlane.com) signed exactly like our other apps (Windows, Android, …). The goal would be to protect our users against a compromise of our servers or CDN. This is very important in our security model: the data of our users is decrypted locally on user computers (“zero-knowledge architecture”).
Your new Signed HTTP Exchange technology sounds very promising. We’ve been trying it with success but something is missing to really cover our use case. The main issue is that there is no visual cue for the user to know that the app served has been signed. We understand that the main use case for which SXG has been designed for is not exactly our use case and you might not want the user to see that SXG is in action. But it’s a pity: with this new technology we are really close of being able to serve signed application.
Do you think this is an addition that could be considered? If not would you have any other advice to help us serve secure applications?
Thanks,
Error! Filename not specified.
Thomas GuilloryError! Filename not specified.Error! Filename not specified.
Senior Engineering Manager
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
--
You received this message because you are subscribed to the Google Groups "WebPackage-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webpackage-de...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/8F1DD8FA-DBDA-4F41-8FD4-BB2FFDC65031%40dashlane.com.
Kinuko Yasuda
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/91284E19-16CE-4DBB-9950-5F7FE6B5ACB8%40dashlane.com.
Devin Mullins
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/CAMWgRNYUjphmu6y8R3cqAP8irK5ArZ3ZfZbVNcfGaE32NXG5AA%40mail.gmail.com.
Jeffrey Yasskin
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/webpackage-dev/91284E19-16CE-4DBB-9950-5F7FE6B5ACB8%40dashlane.com.
Thomas Guillory
Hi Jeffrey,
That’s awesome. Your proposal looks very good for our use case. You can definitely mention Dashlane.
We will do our best to attend next IETF meeting and will post to the mailing list as soon as possible.
Thanks a lot for your support,
|
|
Thomas Guillory |
|
Senior Engineering Manager |
|
|
|
|
From: Jeffrey Yasskin <jyas...@chromium.org>
Date: Monday 14 October 2019 at 23:07
To: Thomas Guillory <Thomas....@dashlane.com>
Cc: Jeffrey Yasskin <jyas...@chromium.org>, "webpack...@chromium.org" <webpack...@chromium.org>, Cyril Leclerc <cy...@dashlane.com>
Subject: Re: SXG to serve signed web apps
Hi Thomas, sorry that it took me so long to get back to you.
I've sketched out my idea for how we could help you at https://github.com/WICG/webpackage/pull/504. Although there's nothing that would prevent a browser from displaying the company name that signed a website, I think it's unlikely we would, for the same reasons that the display of EV certificates has been phased out, including https://stripe.ian.sh/. Do you think that just pinning the signing certificate would give you enough value? Can we mention Dashlane specifically in this use case?
We're proposing that the IETF create a working group to develop and standardize these formats, at the next IETF meeting in November. It would be helpful if you post to wp...@ietf.org (https://www.ietf.org/mailman/listinfo/Wpack) with your interest and any comments, to show the community that this is a useful thing to work on. You can also attend the meeting either in person in Singapore or remotely, if the timezones work for you.
There's a lot of controversy around origin-trusted signatures at the IETF, but this kind of signature hasn't gotten as much attention. My feeling is that it'll be more acceptable to other implementers.
Jeffrey
On Thu, Jun 20, 2019 at 2:52 AM Thomas Guillory <Thomas....@dashlane.com> wrote:
Hi Jeffrey,
I hope you enjoyed your vacations 😊
We are excited by your previous answer on the topic of signed web apps, it is aligned with our own vision. We are willing to contribute if possible. Is there any way we can help to progress on this topic?
Thanks,
Error! Filename not specified.