Skip to first unread message
mes...@gmail.com
Oct 7, 2013, 6:52:00 AM10/7/13
to polym...@googlegroups.com
Hello,
Sorry if this is considered off topic here. If so, please advise where this kind of question should be posted.
So far what I've seen from videos and little bit tried myself also Polymer, I see great advantages what Web Components and project like Polymer can do in applications development in many aspects. One of the aspects is security, which is quite essential by todays standards to get acceptance using something beyond hobbyists. Thus, with web components it's possible to get cleaner applications with less probability of side effects, like leaking, in general. Perhaps smaller main portion of the application also as the code moves more in reusable libraries which are then loaded on demand.
So all of this above made me think, has there been yet any thought how it would be possible to sign those component libraries and then verify on load before execution?
I think it would be great to be able to do that, it would be a exceptionally good idea and cost saver from auditing perspective. I'm not sure if that kind of feature has been proposed, planned or even implemented somewhere, what parts of it should be a part of web browser and which parts standardised representation in components, but certainly the modular structure of Polymer kind of thing would benefit it AFAIK.
That's short for what I'm thinking, and it would be great to hear what others think about it. I know, been there done that, that security is not usually the first thing that comes in minds of developers, but in todays world it should more often than in past already in quite early stages of projects. Security is best implemented all the way not just quickly added ad-hoc afterwards. This is why I thought it would be nice to hear has anyone yet thought about these matters?
Cheers,
:-) riku
ps. Little background, I'm not active developer, least not anymore, though I've earned my living 7.5 years long time ago developing applications in my earlier career. I've been since more on networking, network management, security, sysadmin and do some integration to get applications talk to each other when needed. I like to follow new trends in software development and play with some that I find interesting. Polymer clearly stands out being a very interesting development direction, perhaps most interesting I've seen in decade.
Daniel Freedman
Oct 7, 2013, 3:39:07 PM10/7/13
to polym...@googlegroups.com, mes...@gmail.com
This question seems much larger in scope than just polymer, but I can point out a few bits that help auditing.
Polymer itself has an audit log for the minified build: https://github.com/components/polymer/blob/master/build.log
If you yourself host all the elements used in your application, version control systems provide a clear audit trail that can be verifiable.
As for using third party components, Polymer and Web Components don't add anything new here.
HTMLImports have to follow CORS, the same as <script src>. ShadowDOM can help with styling, but it does not encapsulate script.
Other than that, you have the same security scenarios as any other web site or application.
The broader questions you have about security and verification, and what primitives would need to be in the browser vs javascript, seem like excellent topics for the W3C WebApps Working Group whose mailing list is public-...@w3.org
mes...@gmail.com
Oct 10, 2013, 5:58:04 AM10/10/13
to polym...@googlegroups.com, mes...@gmail.com
Hello,
Sorry about delay in reply. I'm currently on vacation and not thus try not to spend time online that much.
On Monday, October 7, 2013 10:39:07 PM UTC+3, Daniel Freedman wrote:
This question seems much larger in scope than just polymer, but I can point out a few bits that help auditing.Polymer itself has an audit log for the minified build: https://github.com/components/polymer/blob/master/build.logIf you yourself host all the elements used in your application, version control systems provide a clear audit trail that can be verifiable.
Agreed, it's larger question/scope than just Polymer.
However, bare version control with checksums, automated build system and logs provide integrity is still quite weak noticing compromised author account or the like being used injecting malicious code. There have been past years several occasions as we have seen.
Code signing is much stronger instrument, it will provide in addition to Integrity two additional features, Authorisation and Non-repudiation. When implemented properly (by well controlled process signing handled securely outside of automated build system), it's much harder to cause havoc with these.
Sure, signed code should be reviewed and audited before used in critical system, but better knowing it's really from the project guys who you expect and easily verifiable for older version of code library even after years when build system was updated couple of times, log files long ago recycled and guys who then work for the project might have only hazy memory of events couple of years back.
As for using third party components, Polymer and Web Components don't add anything new here.
True. I just tinkered with Polymer and Web Components, which led me to think signing benefits on audit side too as it has so modular structure which most parts possibly will not change too often once code is mature enough. Once audited, signed code can be trivially revisited checking it vs. to code which is not signed. I think I have some practical insight on this as I used to be CISA practitioner :)
It would be best if code would be signed by multiple instances, first by developers and then by auditors if that is required. (Think of using your components building a banking application or the like if you wonder where that would be good idea.)
HTMLImports have to follow CORS, the same as <script src>. ShadowDOM can help with styling, but it does not encapsulate script.Other than that, you have the same security scenarios as any other web site or application.The broader questions you have about security and verification, and what primitives would need to be in the browser vs javascript, seem like excellent topics for the W3C WebApps Working Group whose mailing list is public-...@w3.org
Thanks for those links, I will follow it up there. I already spent some time reading what they have been up to.
:-) riku
Reply all
Reply to author
Forward
0 new messages