New Firefox, Chrome SRI script whip to foil man-in-the-middle diddle

Hashes to stop sly CDN tampering


Scripting will in the next few months become safer with Mozilla and Google adopting a validation mechanism to protect against man-in-the-middle attacks.

The Subresource Integrity (SRI) check is being developed by boffins at Google, Mozilla, and Dropbox under the World Wide Web Consortium.

The specification means the integrity of scripts including those developed by individual users can be determined using hashes. Dynamic scripts are more difficult given that their changing nature would continually alter hashes.

Mozilla senior software engineer and SRI author Francois Marier told the AusCERT conference on the Gold Coast today that external scripts are a serious risk noting that he found 2.5 million references in Github accounts to a JQuery script hosted on a Google server.

"What could possibly happen if someone gets into that server? An attacker could add a malicious payload to the Javascipt and then steal sessions, redirect to phishing sites, enlist users into denial of service bots and so on," Marier says.

"By putting a hash on the script, the guarantee we get from browsers is that if that script ever changes, then it will be blocked because the hash isn't going to match anymore."

Presentation podcast: download Integrity protection for third-party JavaScript.

Marier told El Reg the SRI will be within a month available in the developer editions of Google Chrome and Mozilla Firefox and will be in stable versions (Firefox version 41) in around three months.

So far Github is one of a few to adopt the mechanism in a small deployment as part of a beta test program.

SRI has a "very small" overhead as a browser resource, according to Marier who says adoption will be easy.

Marier also urged organisations to add themselves to the browser pre-load list which requires sites to run HTTP strict transport security (HSTS).

So far only 16 Australian organisations are on the lists with major businesses including banks being conspicuously absent. Some 2000 are registered globally. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022