Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Minimizer Version #15

Open
steamraven opened this issue May 25, 2018 · 9 comments
Open

Add support for Minimizer Version #15

steamraven opened this issue May 25, 2018 · 9 comments

Comments

@steamraven
Copy link

Currently the system takes the raw content and runs it through a Minimizer to create a canonical form before using it for signature creation or verification . This makes the signature highly dependent on the exact workings of the Minimizer. Version changes of the minimizer could change the output subtly, rendering signatures using the old minimizer invalid.

By including a version number (and/or method of canonization) in some kind of configuration block, the verifier can choose the appropriate version.

The configuration block could also include the version of the webpage for #13.

@baryluk
Copy link

baryluk commented Jun 15, 2018

Just drop minimization completely. It is silly. If people want to minimize, they can sign and serve minimized version. Extension should be just doing a hash and verification of signature. I think minimization actually makes it slower on client side, prone to various bugs in minimizer, prone to update in minimizer output, and consumes more memory and code space.

@tasn
Copy link
Owner

tasn commented Jun 15, 2018

@steamraven, thank you for opening this issue. This is indeed a good point that I plan on addressing.

@baryluk, I wish it was that simple. Minimisation is horrible in every sense, exactly as you described. It's slow, bloated, error-prone and increases the attack vector. However, it can't be avoided. We use the minimisation as a way to achieve a canonical form. The problem is that other than Firefox, browsers don't currently support a way to get the document (HTML) as it was delivered by the server, which means the signature (or hash) would be different based on your specific browser vendor and version.

With minimisation, we can ensure (given the current browser inconsistencies) that the signature is uniform across browsers.

I hope this clarifies things. For more information, please take a look at the README: https://github.com/tasn/webext-signed-pages#technical-details

@rugk
Copy link

rugk commented Jun 15, 2018

Okay so there is an issue for filterResponseData in Chromium.

Don't know whether you offer your extension for other browsers, but if this is implemented there, we could drop that requirement.

BTW am I right that on Firefox you don't apply the minimizer then – as the original content should be minimized correctly?

@baryluk
Copy link

baryluk commented Jun 15, 2018

Oh. That sucks.

But how about using this: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/StreamFilter

This should allow you to compute hash or hmac easily. Most SHA256 libraries allow to do update in chunks of internal state.

@rugk
Copy link

rugk commented Jun 15, 2018

BTW I suggest to continue that discussion in #16, as it is technically the same and I think dropping the minimizer should be the end goal.

@baryluk
Copy link

baryluk commented Jun 15, 2018

Ok. In the meantime please mention briefly in README exact version of minizer and why it is needed at the current state of affairs.

@rugk
Copy link

rugk commented Jun 15, 2018

But how about using this: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/StreamFilter

That's the same issue on the Chrome/ium side… They just have to implement this, seems nobody wants that on their side. You can only contact there issue tracker and make them aware you want that.

@tasn
Copy link
Owner

tasn commented Jun 15, 2018

As @rugk said. It's not yet there.

I continued discussion in #15.

@rugk
Copy link

rugk commented Jun 15, 2018

And yes, I guess you can close this issue here by what @baryluk said before:

In the meantime please mention briefly in README exact version of minizer and why it is needed at the current state of affairs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants