JavaScript Code Signing JavaScript Code Signing ajax ajax

JavaScript Code Signing


javascript ajax security code-signing

Maybe I am misunderstanding your problem, but my first thought is to use SSL. It is designed to ensure that you're talking to the server you think you are, and that no one has modified the content midstream. You do not even have to trust the network in this case, because of the nature of SSL.

The good thing about this approach is that you can fairly easily drop it into your existing web application. In most cases, you can basically configure your HTTP server to use SSL, and change your http:// requests to https://.

javascript ajax security code-signing

This is an old, open question but the answers seemed to not do this justice.

https:// provides integrity, not true identification nor non-repudiation.

I direct you to http://www.matasano.com/articles/javascript-cryptography/

Don't do crypto in JS, because a malicious injected script can easily grab passwords or alter the library. SJCL is neat, but it offer a blatantly false sense of security (their quote, and quoted by above)

Unfortunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.

The long-term issue is that JavaScript lacks:

  1. Uniformly working const
  2. The ability to make objects deeply const and not reprototypable.

  3. Code-signing

    // codesign: cert:(hex fingerprint) signature:(hex MAC)

    Certs would be managed similar to CA certs. MAC would be used with appropriate sign/verify constructions.

  4. Crypto, clipboard stuff are reasons to have JavaScript native plugins (signed, of course)

Getting JavaScript engines to all implement a standard is another thing, but it's doable an it's absolutely necessary to end a large swath of malware.

javascript ajax security code-signing

You could have an external Javascript file which takes an MD5 hash of your login JS, and sends an Ajax request to the server to verify that it is correct and up-to-date. Use basic security or encryption practices here - public/private keys or some other method to be sure that the response came from your server.

You can then confidently display to the user that the client-side scripts are verified, and allow the login script to proceed.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last