A website using a CDN to host things like jQuery f.eg. is vulnerable to the integrity of that CDN. And since scripts are loaded via html content and thus managed by web devs who would use the fastest way to get their applications into the hands of their customer, it can be a real pain in the neck for admins to keep track of.
Basically it’s an attribute on and tags that’s called “integrity” so for example, lets say my Drupal page (true story) has the following:
The way to add integrity of that would be to download the resource and calculate its signature
~ $ curl https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js 2>/dev/null| openssl dgst -sha384 -binary | openssl base64 -A
Then adding the algorithm plus signature to the tag:
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
This can also be enforced with the Content-Security-Policy attributes
Content-Security-Policy: require-sri-for script; require-sri-for style;
Is there any chance features for things of this nature might get baked into Cloudflare?
Doesn’t this process defeat the security of this? For example, if someone hacks the resource, whatever automated process that adds that signature is going to update the signature to match the compromised file.
I love CSP and use it, but it can be a huge pain at times when it comes to adding signatures. I wish I had an easy way to add nonces to inline resources. Same goes with updating my CSP whenever I update my local resources.
Agree this is something you absolutely don’t want Cloudflare doing as it totally defeats to purpose of you having done it manually yourself with a resource you know is ‘safe’.
As an aside seeing as you use CSP - have you noticed Cloudflare sporadically serving out unminified JS even when you have it turned on? I have to define the signatures of both original and Cloudflare-minified JS in my HTML in order to make sure it’s always loaded lest Cloudflare serves it straight through and break the SRI. wondered if it was just me.
I thought about that, I guess that would depend on the implementation.
If you were presented with all the external resources of a site as a list and able to check each one or all at the same time and “Add integrity signature” and it would save those sigs on Cloudflares servers permanently not to change them again until you manually requested it, I don’t see why that would be less secure than doing it manually. At some point you have to trust the resource to snapshot it and settle on a signature even if you can’t verify its sanity right then and there.
Another thing Cloudflare might do is for it to detect common external resources like jQuery or such and offer to change the reference to point to its own CDN or have an integrity signature automatically on those resources because the layout and checksum of ‘jQuery 2.1.4 minified’ should be a knowable thing without looking.
Cloudflare already kind of do this - they’re the main sponsor of cdnjs. This has the SRI hashes available to you in the copy-and-paste of the links if you don’t want to generate them yourself. Doesn’t go as far as the level of scraping and automation you want with them trawling your sites and suggesting recommendations etc. but is about the same end result if you choose to use it (e.g. resources loaded from their CDN, SRI hashed links etc).