Hacker News new | past | comments | ask | show | jobs | submit login

The first comment on that thread is from @eganist (not me, but my colleague). This is how Cyph's HPKP-based code signing works: https://cyph.team/websigndoc

tl;dr: the same idea that we showed how to apply maliciously via RansomPKP is also applied for defensive purposes, in this case to persistently pin a client-side page with logic that validates and runs signed packages.




Here's a potentially easier to read (doesn't require JavaScript) document explaining WebSign:

https://www.cyph.com/websign

It's a really smart idea, although it did have some odd edge cases, and required you to trust that they really were throwing away the keys as promised.

There is some talk in the W3C of extending the SRI standard to let a website declare that all (or just certain) included resources have been signed by an (offline) PGP key:

https://github.com/w3c/webappsec/issues/449

so we might one day reach a point where running a webapp at least has the small security guarantee that a TOFU policy gives you. If this could be combined with versioned releases of webapps, and the signature appearing in something like a Binary Transparency log, then the security guarantee could actually be quite meaningful:

https://wiki.mozilla.org/Security/Binary_Transparency


Thanks Dane! I'd actually just published that copy on cyph.com to edit into the above comment, and missed the edit cutoff by a couple minutes.

The rest of that is very interesting! I wasn't aware of that PGP signing discussion, but it would be very exciting if it panned out.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: