Open steamraven opened 6 years ago
baryluk
commented
6 years ago Just drop minimization completely. It is silly. If people want to minimize, they can sign and serve minimized version. Extension should be just doing a hash and verification of signature. I think minimization actually makes it slower on client side, prone to various bugs in minimizer, prone to update in minimizer output, and consumes more memory and code space.
tasn
commented
6 years ago @steamraven, thank you for opening this issue. This is indeed a good point that I plan on addressing.
@baryluk, I wish it was that simple. Minimisation is horrible in every sense, exactly as you described. It's slow, bloated, error-prone and increases the attack vector. However, it can't be avoided. We use the minimisation as a way to achieve a canonical form. The problem is that other than Firefox, browsers don't currently support a way to get the document (HTML) as it was delivered by the server, which means the signature (or hash) would be different based on your specific browser vendor and version.
With minimisation, we can ensure (given the current browser inconsistencies) that the signature is uniform across browsers.
I hope this clarifies things. For more information, please take a look at the README: https://github.com/tasn/webext-signed-pages#technical-details
rugk
commented
6 years ago Okay so there is an issue for filterResponseData in Chromium.
Don't know whether you offer your extension for other browsers, but if this is implemented there, we could drop that requirement.
BTW am I right that on Firefox you don't apply the minimizer then – as the original content should be minimized correctly?
baryluk
commented
6 years ago Oh. That sucks.
But how about using this: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/StreamFilter
This should allow you to compute hash or hmac easily. Most SHA256 libraries allow to do update in chunks of internal state.
rugk
commented
6 years ago BTW I suggest to continue that discussion in https://github.com/tasn/webext-signed-pages/issues/16, as it is technically the same and I think dropping the minimizer should be the end goal.
baryluk
commented
6 years ago Ok. In the meantime please mention briefly in README exact version of minizer and why it is needed at the current state of affairs.
rugk
commented
6 years ago But how about using this: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/StreamFilter
That's the same issue on the Chrome/ium side… They just have to implement this, seems nobody wants that on their side. You can only contact there issue tracker and make them aware you want that.
tasn
commented
6 years ago As @rugk said. It's not yet there.
I continued discussion in #15.
rugk
commented
6 years ago And yes, I guess you can close this issue here by what @baryluk said before:
In the meantime please mention briefly in README exact version of minizer and why it is needed at the current state of affairs.
Currently the system takes the raw content and runs it through a Minimizer to create a canonical form before using it for signature creation or verification . This makes the signature highly dependent on the exact workings of the Minimizer. Version changes of the minimizer could change the output subtly, rendering signatures using the old minimizer invalid.
By including a version number (and/or method of canonization) in some kind of configuration block, the verifier can choose the appropriate version.
The configuration block could also include the version of the webpage for #13.