Proposal: "requiresig" field for d/ namespace

[biolizard89]

There was some discussion about HTTPS not being sufficient to ensure authenticity of files since the TLS keys are on the server, so if the server is compromised any files on it can be maliciously changed as well (e.g. injecting a Javascript malware to a site).

So, here's a very rough proposal for a potential way to mitigate this.

Add a "requiresig" field to the d/ namespace. This has the following syntax:

Code: Select all

"requiresig" : [ "dd/signing-name-1", "dd/signing-name-2" ] 

This has the effect that all files retrieved from the domain/subdomain in question must have their hashes signed by one of the signing names. (See the file/ or hash/ proposal for how this would be done.)

Unsignable content (e.g. dynamically generated or user-generated content) should be served from a different subdomain so that the signature is not required. Websites are encouraged to use the HTML "sandbox" feature on any unsignable content that may be embedded on the page. Compliant HTTP browsers should verify the signature of all files retrieved from the domain in question, and should refuse to display the page if any of its components cannot be verified according to the policy in the blockchain.

Additional features to think about would be including whitelists/blacklists of certain paths or MIME types, so that unsigned content can be served without using a subdomain... not sure if this is actually needed.

Thoughts?

[domob]

This will surely improve security - however, at the moment I see its usability more for "few special" files (like binary / source downloads for which the proposal was originally intended). I'm not sure whether it will really help to sign every file on a webpage; as you suggest, for a lot of content of a modern web application (which is dynamic), this won't work at all. Thus the remaining cases I can think of are things like bitaddress.org, but in that case, since one is encouraged to download the file anyway, a "manual" signature check can be done.

But I'm not opposed to having this feature if it seems worthwhile to implement and you think website owners will sign their files. However, as mentioned I see the utility more in enabling this check for a special "download." subdomain, and not in enabling it for the main website and only disabling for some "special" subdomain.

[biolizard89]

This will surely improve security - however, at the moment I see its usability more for "few special" files (like binary / source downloads for which the proposal was originally intended). I'm not sure whether it will really help to sign every file on a webpage; as you suggest, for a lot of content of a modern web application (which is dynamic), this won't work at all. Thus the remaining cases I can think of are things like bitaddress.org, but in that case, since one is encouraged to download the file anyway, a "manual" signature check can be done.

But I'm not opposed to having this feature if it seems worthwhile to implement and you think website owners will sign their files. However, as mentioned I see the utility more in enabling this check for a special "download." subdomain, and not in enabling it for the main website and only disabling for some "special" subdomain.

Okay, so I'm trying to nail down exactly what this will solve in practicality. If the goal is preventing a compromised web server from serving malicious or modified code, then we have two categories of web sites (server-side and static), and two categories of threats (stealing data or delivering exploits).

Server-side websites stealing data is not really feasible to solve if the unencrypted data makes its way to the server, since a server compromise will simply allow data to be stolen at the server side, with no change in content being served to the public.

However, server-side delivery of exploits would be made significantly harder, as long as the static parts of the site are signed and all Javascript/images/CSS/whatever are static. If HTML is made static too, and the dynamic data is loaded externally (e.g. via AJAX), then this becomes even better, but this is not necessary to gain some benefit. Also, if user data is encrypted on client side (I think Mega does this?), stealing data would also be prevented by this setup (just signing the Javascript would eliminate a lot of attack space).

Static stealing of data is a really important use case that this partially solves -- right now browser-based Bitcoin wallets (or any other security-related web page) are dangerous because the Javascript could be changed at each page load. If the content is signed, then a server compromise can't cause people's Bitcoin wallets to be emptied. (Obviously you're still trusting the website owner... so still not totally secure in reality.)

And of course exploits in static sites would be eliminated too.

Downloads I honestly don't think matter a lot, since they can be verified outside of the browser. But yes, this would work for that use case in theory.

tl;dr: I think there are use cases outside of downloads.

EDIT: Added note about client-side encryption e.g. Mega, which would prevent server-side generated pages from stealing data if used in conjunction with this proposal.

[virtual_master]

I was not aware of your proposal (which is excellent) so I was thinking also about how to solve the problem of content hijacking by hackers(or seizing content by governments).

What about embedding in the domain entry additionally to the TLS fingerprint a content GPG public key, where the corresponding private key wouldn't be on the server but by the person who is redacting the content. Every time the content deliverer is actualizing the content needs to put to a specific place (for ex in the html header in a special tag) the content signature.
The browser (with a special plugin or special browser) would check the content signature against the content and the public key (in the Namecoin blockchain) and could authenticate with 100% security that it comes from the author.
Content hijacking would be never ever possible on the world.
Here would be a content editor - user authentication which would be much secure then server-user authentication. (encryption would remain on server-user, there is no other possibility for unidentified and unregistered users)

That could make Namecoin popular even for sites which are not using .bit domain and would revolutionary improve browsing security everywhere over the world.
Browsers could be configured(if implemented) not to display hijacked content or to display it with warning.
Namecoin could act generally as decentralized content authenticator for any domain.

[biolizard89]

I was not aware of your proposal (which is excellent) so I was thinking also about how to solve the problem of content hijacking by hackers(or seizing content by governments).

What about embedding in the domain entry additionally to the TLS fingerprint a content GPG public key, where the corresponding private key wouldn't be on the server but by the person who is redacting the content. Every time the content deliverer is actualizing the content needs to put to a specific place (for ex in the html header in a special tag) the content signature.
The browser (with a special plugin or special browser) would check the content signature against the content and the public key (in the Namecoin blockchain) and could authenticate with 100% security that it comes from the author.
Content hijacking would be never ever possible on the world.
Here would be a content editor - user authentication which would be much secure then server-user authentication. (encryption would remain on server-user, there is no other possibility for unidentified and unregistered users)

That could make Namecoin popular even for sites which are not using .bit domain and would revolutionary improve browsing security everywhere over the world. Namecoin could act generally as decentralized content authenticator for any domain.

So, looking at the difference between our respective proposals -- using the file/ namespace would use more blockchain space (proportional to files rather than domains), but using file/ would work for any filetype while using an HTML element would only work for HTML files and would require modifying even static sites. Since Javascript is probably a more attractive target than HTML, I'm of the opinion that a system for this would need to be agnostic of file type, hence I think using the file/ namespace would be preferable despite increased blockchain usage. What do you think?

As an aside, I noticed a specific detail that would need to be kept in mind... if the file/ name is just based on filename (rather than full URL to the file), then multiple websites which use the same Javascript library or image would have a collision... so I would recommend that the full URL of the file be used in the file/ name, rather than just the filename.

[virtual_master]

So, looking at the difference between our respective proposals -- using the file/ namespace would use more blockchain space (proportional to files rather than domains), but using file/ would work for any filetype while using an HTML element would only work for HTML files and would require modifying even static sites. Since Javascript is probably a more attractive target than HTML, I'm of the opinion that a system for this would need to be agnostic of file type, hence I think using the file/ namespace would be preferable despite increased blockchain usage. What do you think?

As an aside, I noticed a specific detail that would need to be kept in mind... if the file/ name is just based on filename (rather than full URL to the file), then multiple websites which use the same Javascript library or image would have a collision... so I would recommend that the full URL of the file be used in the file/ name, rather than just the filename.

OK. You have right. I considered only static html but this concept can be extended very easily. With Javascript you also have right.
I am not sure if I understood your proposal correctly.
Why should your proposal use more the blockchain ? Because the dd/ entry ?(the additional usage is not semnificative)
Or do you want to store the file signatures in the blockchain ?
If yes, using the blockchain for every file update I think it would be extremely inconvenient. I wouldn't use so.

Having the reference for the signatures of the html content and loaded embedded content(loaded from the site or externally - doesn't matter) in header tags .
for ex. helloworld.html
<html>
<head>
<title>This is a title</title>
<localsignature>YES</localsignature>
<externsignature>YES</externsignature>
</head>
<body>
<p>Hello world</p>
<img src="helloworld.png" alt="helloworld">
<img src="anotherdomain.com/subdirectory/helloworld2.png" alt="helloworld2">

</body>
</html>
would have a corresponding helloworld.sig.
If the <localsignature> tag is on YES then all locally embedded files also need signature.
helloworld.png - helloworld.png.sig
If the <externsignature> tag is on YES then all externally embedded files also need signature.(if dynamic content is embedded externally then this should be put on NO) The signature could be locally in the above example in the file anotherdomain.com.subdirectory.helloworld2.png.sig.(I am not sure if it is so safe this solution for external embedded content)
Here all can be included what can be displayed on the page but not content which is linked for download.

Having more validators as you proposed above is not a problem and their public keys could be referred to the dd/ entry as proposed or saved directly in the d/ entry.

This will surely improve security - however, at the moment I see its usability more for "few special" files (like binary / source downloads for which the proposal was originally intended). I'm not sure whether it will really help to sign every file on a webpage; as you suggest, for a lot of content of a modern web application (which is dynamic), this won't work at all. Thus the remaining cases I can think of are things like bitaddress.org, but in that case, since one is encouraged to download the file anyway, a "manual" signature check can be done.

But I'm not opposed to having this feature if it seems worthwhile to implement and you think website owners will sign their files. However, as mentioned I see the utility more in enabling this check for a special "download." subdomain, and not in enabling it for the main website and only disabling for some "special" subdomain.

Dynamic files would be safe as before with TLS security on the server side. (here is no content author validation possible because the server generates the content)

With downloadable content I am also on the meaning that should be better solved outside of the browser like Biolizard already expressed above. But it would be also possible to create a <downloadsignature>YES</downloadsignature> tag in the html header which enables downloaded content to be checked to be valid against a local signature file. This would be only possible after downloading the content eventually with a special button in the browser. But here more changes would be necessary and it would create eventually confusion when the content is embedded but can be downloaded also.

[phelix]

Why not use the fingerprinted TLS key for signing? "requiresig":"true"

Signed websites could certainly improve security but I think it is a couple of steps further down the road.

For now I mostly trust my browser to prevent malicious stuff.

[biolizard89]

So, looking at the difference between our respective proposals -- using the file/ namespace would use more blockchain space (proportional to files rather than domains), but using file/ would work for any filetype while using an HTML element would only work for HTML files and would require modifying even static sites. Since Javascript is probably a more attractive target than HTML, I'm of the opinion that a system for this would need to be agnostic of file type, hence I think using the file/ namespace would be preferable despite increased blockchain usage. What do you think?

As an aside, I noticed a specific detail that would need to be kept in mind... if the file/ name is just based on filename (rather than full URL to the file), then multiple websites which use the same Javascript library or image would have a collision... so I would recommend that the full URL of the file be used in the file/ name, rather than just the filename.

OK. You have right. I considered only static html but this concept can be extended very easily. With Javascript you also have right.
I am not sure if I understood your proposal correctly.
Why should your proposal use more the blockchain ? Because the dd/ entry ?(the additional usage is not semnificative)
Or do you want to store the file signatures in the blockchain ?
If yes, using the blockchain for every file update I think it would be extremely inconvenient. I wouldn't use so.

Ok, yeah, I think you're right, using the blockchain per file would (among other things) have major transaction fees... so scratch that.

Having the reference for the signatures of the html content and loaded embedded content(loaded from the site or externally - doesn't matter) in header tags .
for ex. helloworld.html
<html>
<head>
<title>This is a title</title>
<localsignature>YES</localsignature>
<externsignature>YES</externsignature>
</head>
<body>
<p>Hello world</p>
<img src="helloworld.png" alt="helloworld">
<img src="anotherdomain.com/subdirectory/helloworld2.png" alt="helloworld2">

</body>
</html>
would have a corresponding helloworld.sig.
If the <localsignature> tag is on YES then all locally embedded files also need signature.
helloworld.png - helloworld.png.sig
If the <externsignature> tag is on YES then all externally embedded files also need signature.(if dynamic content is embedded externally then this should be put on NO) The signature could be locally in the above example in the file anotherdomain.com.subdirectory.helloworld2.png.sig.(I am not sure if it is so safe this solution for external embedded content)
Here all can be included what can be displayed on the page but not content which is linked for download.

Having more validators as you proposed above is not a problem and their public keys could be referred to the dd/ entry as proposed or saved directly in the d/ entry.

Funnily enough, I just noticed that there's actually already a W3C/IETF spec for signing web pages. Here are some links:

http://www.w3.org/Signature/ (Working group)
http://www.xml.com/pub/a/2001/08/08/xmldsig.html (Intro for XML authors)
http://www.w3.org/2007/11/h6n/ (Intro for HTML authors)

So, I guess all we have to do in terms of specification is embed the public key for the XML Signature in the blockchain, along with a link to the XML Signature file. Everything else can be handled by the XML Signature specification. Much easier.

Dynamic files would be safe as before with TLS security on the server side. (here is no content author validation possible because the server generates the content)

You can actually simulate validation of dynamic files to some limited extent if you make parts of them static (e.g. the "code") and just use AJAX to load the dynamic part (the calculated "data"). Code needs to be validated since it can do nasty things, but data doesn't necessarily need to be validated as much, particularly if it uses HTML's sandbox feature.

Why not use the fingerprinted TLS key for signing? "requiresig":"true"

Signed websites could certainly improve security but I think it is a couple of steps further down the road.

For now I mostly trust my browser to prevent malicious stuff.

Browsers have exploits, it happens. Also, this is useful for things like ensuring that static content hasn't been messed with. Imagine I compromised a website and replaced their Bitcoin donation address with my own address, or I compromised a Linux help website and caused it to show instructions that reformat your hard drive, or I compromised a whistleblower repository and caused a leaked document to be replaced with one that I wrote.

[virtual_master]

Funnily enough, I just noticed that there's actually already a W3C/IETF spec for signing web pages. Here are some links:

http://www.w3.org/Signature/ (Working group)
http://www.xml.com/pub/a/2001/08/08/xmldsig.html (Intro for XML authors)
http://www.w3.org/2007/11/h6n/ (Intro for HTML authors)

So, I guess all we have to do in terms of specification is embed the public key for the XML Signature in the blockchain, along with a link to the XML Signature file. Everything else can be handled by the XML Signature specification. Much easier.

Yes. Good that you observed.
So we are not the first who thought about solving this problem.
And there is a lot of stuff to read about and I can see just specifications and in best case a proof of concept.
I am not sure how far the browsers are supporting this.

[biolizard89]

Funnily enough, I just noticed that there's actually already a W3C/IETF spec for signing web pages. Here are some links:

http://www.w3.org/Signature/ (Working group)
http://www.xml.com/pub/a/2001/08/08/xmldsig.html (Intro for XML authors)
http://www.w3.org/2007/11/h6n/ (Intro for HTML authors)

So, I guess all we have to do in terms of specification is embed the public key for the XML Signature in the blockchain, along with a link to the XML Signature file. Everything else can be handled by the XML Signature specification. Much easier.

Yes. Good that you observed.
So we are not the first who thought about solving this problem.
And there is a lot of stuff to read about and I can see just specifications and in best case a proof of concept.
I am not sure how far the browsers are supporting this.

There's a Firefox extension implementing the spec: https://addons.mozilla.org/en-US/firefo ... ture-tool/

Looks like it supports Firefox 24 but hasn't yet been updated for the recent Firefox 25. I haven't tried it.