Unterhaltung

Nachrichten

1. drak

   @glynmoody: this is what web developers can already do to get good security when using insecure resources: https://chaoswebs.net/image-sri/

   Sunday, 02-Apr-17 08:35:42 UTC von web
   • kuro und kat gefällt das.
   • kat

     @drak reading https://www.w3.org/TR/SRI/

     Sunday, 02-Apr-17 09:17:53 UTC
   • drak kat

     SRI is really, really cool! Now a single SSL website can in theory secure a whole website. And we could p2p all resources via their hashes.

     Sunday, 02-Apr-17 09:44:35 UTC
   • drak

     Do you see how this provides the basic ingredient to re-decentralize the web with mere userscripts?

     Sunday, 02-Apr-17 09:58:57 UTC
   • neimzr4luzerz kat

     I hope you meant SNI (RFC 3546), which btw is still a bad idea: Single point of failure. You are still falling for Web of Trust Meme. DANE or BTFO. @drak @kat

     Sunday, 02-Apr-17 11:16:18 UTC
   • kat neimzr4luzerz

     @neimzr4luzerz @drak The two seem orthogonal. DANE to secure your SSL, SRI to guarantee third party content.   Anyway IPFS will fix it all

     Sunday, 02-Apr-17 12:05:09 UTC
   • neimzr4luzerz kat

     @kat @drak 
     >falling for the IPFS meme
     I have 100% genuine organic based snake oil I need to sell  https://shitposter.club/attachment/556296

     Sunday, 02-Apr-17 12:14:51 UTC
   • kat neimzr4luzerz

     @neimzr4luzerz @drak lol... yeah, but I'm using I2P for the transport layer.

     Sunday, 02-Apr-17 12:50:22 UTC
   • neimzr4luzerz kat

     @kat @drak will I commend you for using I2P, that image is Gnutella. Something which has had surpassed IPFS pre-alpha goal ages ago.

     Sunday, 02-Apr-17 12:57:30 UTC
     drak gefällt das.
   • drak kat

     IPFS does not provide you with anonymity, so it’s not a fix-it-all. But it does improve on the current state of the clearnet.

     Sunday, 02-Apr-17 12:59:31 UTC
   • drak neimzr4luzerz

     @neimzr4luzerz SRI means that you only need to secure one single transfer to prevent any outside corruption (but not surveillance).

     Sunday, 02-Apr-17 13:07:53 UTC
   • neimzr4luzerz

     @drak SRI or SNI? I am 100% sure you mean SNI. Either way it's fucked.

     Sunday, 02-Apr-17 13:13:10 UTC
   • drak neimzr4luzerz

     I am 100% sure that I mean subresource integrity (SRI).

     Sunday, 02-Apr-17 13:16:53 UTC
   • neimzr4luzerz

     @drak I did not have that context, thank you for clarifying!

     Sunday, 02-Apr-17 13:22:06 UTC
   • drak neimzr4luzerz

     With SRI it would even be possible to get all sub-resources via another transport which references it by content (the SRI hash). Or to cache it and for example to re-use the same jquery file over multiple websites (safely, since the hash is the same).

     Sunday, 02-Apr-17 13:23:18 UTC
     neimzr4luzerz gefällt das.
   • neimzr4luzerz

     @drak having just overviewed the specification: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity I can say it's not enough: the document needs to implement PKI, and sign external resources with it's Document key, …

     Sunday, 02-Apr-17 13:30:28 UTC
   • kat

     @drak i know... But it is content addressable, so self authenticating?

     Sunday, 02-Apr-17 15:55:59 UTC
   • drak neimzr4luzerz

     Experimentally I can say that elements with the wrong hash are ignored. With that having the html page secured suffices.

     Sunday, 02-Apr-17 16:15:31 UTC
   • drak kat

     yes: a link with SRI might still provide an URI, but the sri-part is a hash of the content: If that does not match, the file is rejected.

     Sunday, 02-Apr-17 17:32:18 UTC
   • drak kat

     when adding SRI the link turns to a hint where to find the content, but the SRI decides whether to accept it.

     Sunday, 02-Apr-17 17:35:34 UTC