Subresource Integrity

GET /April%20King HTTP/1.1

Security EngineerMozilla Corporation

april@mozilla.com — gh/marumari — @aprilmpls

When most people think about internet security,they think about this:

What about your seasoned security professional?

A+ on SSL Labs? Time to call it a day!

Content Delivery Networks (CDNs)

Who here has seen code like this?

<script src="https://code.jquery.com/jquery-2.1.4.min.js">

What does it do?

I'll get into that shortly, but first you must understand...

Same-Origin Policy

Same-Origin Policy

https:// www.mozilla.org :443

Executing code can do pretty much anything it wants on the same-origin, that is, as long as the scheme, hostname, and port number match.

If it's not on the same origin, you can execute code, but not read it.

Same-Origin Policy

<script src="https://code.jquery.com/jquery-2.1.4.min.js">

When you execute this code, you allow it to:

• Make XMLHTTPRequests
• Read all non-HttpOnly cookies
• Record every keystroke and form entry
• Abuse permissions to the camera, location, etc.
• And so much more! 😀

It could simply deface your fine website.

Same-Origin Policy

Or it could do something like @kkotowicz's XSS-Track...

... and create a full-page iframe of your site's login page, easily stealing a user's credentials upon entry.

So what's the big deal?

After all, you're obviously not loading code from Eve & Mallory's Discount JavaScript Emporium!

This is jQuery!

It's the #1 most trusted name in, err… jQuery-ing.

Whoops!

And it's not just a jQuery problem…

GitHub DDoS

If it's such a problem, why does anyone use this?

<script src="https://code.jquery.com/jquery-2.1.4.min.js">

• High performance, geolocated servers
• Smaller requests (no cookies, etc.)
• Already in the browser cache
• Automatically deployed bugfixes fixes

All of the A+ scores in the world won't help you if you source a script from a compromised source

So how can one protect themselves against a compromised CDN?

Subresource Integrityto the rescue!

Subresource Integrity

SRI is a W3C standard that protects against remote resources that have been tampered with.

What does it look like?

First, generate a message digest (hash) of the known-good file in question:

Because of how cryptographic hash functions work, only this exact file could produce this would produce this hash. Even the slightest modification would result in a completely different hash.

Then, simply update your tags like so:

<script src="https://code.jquery.com/jquery-2.1.4.min.js"
integrity="sha256-8WqyJLuWKRBVhxXIL1jBDD7SDxU936oZkCnxQbWwJVw="
crossorigin="anonymous">

Note: SRI also works with <link> tags!

integrity="sha256-8WqyJLuWKRBVhxXIL1jBDD7SDxU936oZkCnxQbWwJVw="

The integrity attribute tells the browser to not load the resource if it doesn't match the correct hash.

crossorigin="anonymous"

And the crossorigin attribute tells your browser to access the resource anonymously, that is, without cookies.

SRI supports the use of multiple hash functions:

integrity="sha256-8WqyJLuWKRBVhxXIL1jBDD7SDxU936oZkCnxQbWwJVw="
integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqv…"
integrity="sha512-Pcrh/26Yxk41hr4+sU3UhsUffU6fobj5pii+T7tqmrVi8x+bUOF…"

• Your browser picks a hash to use based on what it considers to be the strongest function
• If a hash function becomes broken, your page will still safely load by using an alternative (SHA-3?)

SRI also supports multiple valid hashesfor the same hash function:

integrity="sha256-8WqyJLuWKRBVhxXIL1jBDD7SDxU936oZkCnxQbWwJVw="
integrity="sha256-WcPSxGS3bNGjGRf+IUacL3pV4FDKghcLrO3Mz0pirl4="
integrity="sha256-hfc4X3ktNhCJuFB8dnhZXAN155eQmiEesLLyuuI2/YQ="

• CDN serves up different library versions based on browser sniffing
• An upcoming release will replace the existing file, resulting in a different hash

Manual Recovery

Simply detect to see if the library has loaded. If it hasn't, then load a locally hosted version.

Automatic Recovery

<script src="https://code.jquery.com/jquery-2.1.4.min.js"
integrity="sha256-8WqyJLuWKRBVhxXIL1jBDD7SDxU936oZkCnxQbWwJVw="
crossorigin="anonymous"
fallbacksrc="/jquery-2.1.4.min.js">

Note: this is not yet in the SRI specification and may never be! Stay tuned!

Zoinks!

Didn't you say earlier that you can only execute code on foreign origins, not read it? So how can you compute the hash if you can't read the content?

Drats! I would have gotten away with it, if it wasn't for you meddling security professionals!

Imagine a wifi router on a foreign originthat returns the following page to a logged-in user:

{
  "user": "admin",
  "password": "pass1234"
}

In such a case, an XSS attack could calculate the hashes for thousands of passwords, set the integrity attribute, and keep trying to load the resource until it succeeds.

Luckily for us, there's a solution to this conundrum/quagmire/disaster/apocolypse.

Access-Control-Allow-Origin: *

Access-Control-Allow-Origin (CORS) is a header that servers can set that allows foreign origins to read the contents of pages.

CDNs are hosting public content, so there is no riskof a foreign origin reading their contents.

If the server doesn't set the CORS header,the integrity check will automatically fail.

🎉 Good news: most CDNs are already setting this header! 🎉

Is SRI intended for HTTP or HTTPS sites?

SRI Support

as of November 2015

• Browsers: Firefox 43, Chrome 45/46, Opera 32
• CDNs: Google APIs, Bootstrap, jQuery, etc.
• Toolchains: node.js, Sprockets (Rails), etc.

SRIHash.org can take any URL and generate the proper script tags for you!

Future of SRI

• Automatic failover via fallbacksrc?
• Support for other types of resources?
• Error reporting via Content-Security-Policy (CSP)?
• Support for other cryptographic hash functions?

Feedback on SRI

• Issues @ gh/w3c/webappsec-subresource-integrity
• IRC @ irc.mozilla.org #security   (freddyb, francois, April)

Conclusion

?