Are there any current browser standards for validating that the served JS is ‘safe’? I can see such a thing being also useful for applications like ProtonMail, for example?
What about something like a browser extension that queries an audit server for a list of signed hashes of ‘safe’ JS?
- Well-known code auditors could perform reviews of JS
- They could sign JS they find safe with their PGP keys and upload it to some server
- Users could choose to trust certain auditors
- Every time you visit a site that you choose to require this kind of validation, you could check that the hashed JS matches the key
I guess we’re going the way of PKI+SHA hashes of distributed binaries all over again though. Also, if the website updates JS, you’d need to wait for auditors to review it, and there’s a whole mess there (websites would probably have to serve beta versions of their code ahead of release so auditors could have time to review them). Finally, JS would have to be static across all users and I’m not sure how feasible this is.
There is some benefit, though? Now you are distributing the trust over ProtonMail and your trusted auditors. This could be useful if we find ProtonMail to be compromised one day. This might even spawn businesses aimed solely at reviewing websites’ code.
There has to be a better way to do this. How can we bring ‘code review’ to web applications?
You need to sign an entire chain of HTML+JS+CSS+everything else, as you can build keylogger with CSS. Web if weird. I wouldn't be surprised to find out that one can build keylogger with some tricky font file. But it definitely should be possible to build an addon like that. Although it would require some good cryptographers as not to make a mistakes.
I don't think there are any browser standards for that. I guess that such a webapp is too niche and this threat is extremely niche, so very few people would care for it to be a general purpose standard.
What about something like a browser extension that queries an audit server for a list of signed hashes of ‘safe’ JS?
- Well-known code auditors could perform reviews of JS
- They could sign JS they find safe with their PGP keys and upload it to some server
- Users could choose to trust certain auditors
- Every time you visit a site that you choose to require this kind of validation, you could check that the hashed JS matches the key
I guess we’re going the way of PKI+SHA hashes of distributed binaries all over again though. Also, if the website updates JS, you’d need to wait for auditors to review it, and there’s a whole mess there (websites would probably have to serve beta versions of their code ahead of release so auditors could have time to review them). Finally, JS would have to be static across all users and I’m not sure how feasible this is.
There is some benefit, though? Now you are distributing the trust over ProtonMail and your trusted auditors. This could be useful if we find ProtonMail to be compromised one day. This might even spawn businesses aimed solely at reviewing websites’ code.
There has to be a better way to do this. How can we bring ‘code review’ to web applications?