STEAL THIS IDEA

1.  
2. This is just a very rough draft. If anyone wants to take this up as a FOSS
3. project, feel free; I only ask that Taylor and I be mentioned somewhere in the
4. credits.
5.  
6. ################################################################################
7. _____ __ _____ _ _
8. / ____| / _| / ____| (_) | |
9. | (___ __ _| |_ ___ _ _| (___ ___ _ __ _ _ __ | |_
10. \___ \ / _` | _/ _ \ '__\___ \ / __| '__| | '_ \| __|
11. ____) | (_| | || __/ | ____) | (__| | | | |_) | |_
12. |_____/ \__,_|_| \___|_| |_____/ \___|_| |_| .__/ \__|
13. | |
14. |_| (The name is negotiable)
15. _______________________________________________________________________________
16. \ ;
17. \ Making Javascript Safer, Preventing XSS Payloads ;
18. \ @voodooKobra (Scott Arciszewski) ;
19. \ Further suggestions by @DefuseSec (Taylor Hornby) ;
20. \__________________________________________________________________________;
21.  
22. WHAT IS IT?
23. An optional way to configure only digitally signed Javascript for websites
24. set up to use it.
25.  
26. COMPONENTS
27. o Browser plugin (Firefox at first, eventually Chrome & Opera?)
28. o Netbeans plugin (for developers)
29. o CLI Program (integrates with gnupg) for the server
30. o Source file on the server
31. o Publicly accessible whitelist file
32. o Network of notaries which audit the signed whitelists to detect abuse
33. _____________________
34. | The Browser Plugin \______________________________________________________
35. | |
36. | For security-conscious users, the SaferScript browser plugin would request |
37. | a whitelist of .js files (and their sha256 checksums), which should be |
38. | signed by the developer's GPG private key. |
39. | |
40. | (Note: In case SHA-256 is ever broken it needs to be able to support other |
41. | hash functions, such as the SHA-3 family, Whirlpool, and RIPEMD.) |
42. | |
43. | If we do not know the public key, we will request it from the server and |
44. | check with notaries that the user trusts that they see the same key. If |
45. | the website has been queried before, the notary will also compare the |
46. | public key it received with the one archived. |
47. | |
48. | The code will then verify the signature of the whitelist. If it matches, |
49. | then each .js file will be downloaded and their checksums will be verified |
50. | before they are loaded into memory. If any of their checksums doesn't |
51. | match, then that .js file is not loaded and the user is notified. |
52. | |
53. | For public key verification, The browser will then send an SHA-256 digest |
54. | of the whitelist to a notary. If the notary does not have a record of that |
55. | whitelist, our network will request the whitelist and compare the digest |
56. | with the one submitted by the user. If it doesn't match, the user is |
57. | notified and they fail back to a copy that was signed and stored in the |
58. | public record. |
59. | |
60. | If the signature matches but it is an updated version of the Javascript |
61. | (and the notary has cached a copy of the same whitelist), the user will be |
62. | notified of the change and asked if they wish to examine the differences |
63. | between the old version and the new version. (This can be turned off for |
64. | non-tech-savvy users; all changes that any user experiences should be |
65. | mirrored on the notaries, assuming they have opted in.) |
66. | |
67. | No other Javascript will load. Even inline function calls (onClick="" etc) |
68. | will have to be rewritten as $("#objectID").click( function() { }); |
69. | |
70. | If the GPG signature doesn't match, NO Javascript will load for the entire |
71. | domain until the developer updates the signed whitelist with new checksums |
72. | and an updated signature. |
73. | |
74. | Two further levels of paranoia will also be available: If a .css file is |
75. | specified in the whitelist, no other stylesheet changes (outside of those |
76. | made by trusted Javascript) will be registered. Additionally, if a .png, |
77. | .jpg, .gif (etc) file is listed, all other images will be blacklisted. |
78. | These paranoid modes are entirely optional and suited to self-contained |
79. | apps rather than content portals that depend on user-generated content. |
80. | |
81. | Notaries are selected when a user first installs the addon. Trust may be |
82. | revoked by the user at any time should they change their mind. |
83. |____________________________________________________________________________|
84.  
85. __________________
86. | The CLI Program \_________________________________________________________
87. | |
88. | For developers who prever to SSH directly into their production system, |
89. | the CLI program would reconstruct (calculate sha256 checksums and GPG sign |
90. | the list) the whitelist textfile. |
91. | |
92. | root@server~$: saferscript /root/whitelist.src /var/www/white.list |
93. | Calculating SHA-256 checksums: |
94. | /var/www/jquery.js: |
95. | ea3b35ed94f9e600c29ca51d2ee1f6efb03d1389ea5455d2596ca32af1f6aadd |
96. | /var/www/interface.js: |
97. | f75062d19a9e56f0d002f9a93c909636e559ff16b0c8c712e84d207a434e66d8 |
98. | Enter GnuPG Password to sign the new whitelist: |
99. | Your SaferScript whitelist is located at /var/www/white.list |
100. | root@server~$: _ |
101. |____________________________________________________________________________|
102.  
103. _____________________
104. | The Whitelist Files \______________________________________________________
105. | |
106. | There would be two files: One you edit that tells the CLI script which .js |
107. | files should be checksummed and included in the GPG-signed whitelist, and |
108. | the latter file which should be served publicly (http://domain/white.list) |
109. | |
110. | Source File (typically whitelist.src) |
111. | - Line 1 should contain the document root folder |
112. | - Lines 2-n should contain the relative path of each script to be included |
113. | |
114. | Public Whitelist (should be /white.list) |
115. | /jquery.js:sha256:ea3b35ed94f9e600c29ca51d2ee1f6efb03d1389ea5455d2596ca... |
116. | /interface.js:sha256:f75062d19a9e56f0d002f9a93c909636e559ff16b0c8c712e8... |
117. | (Truncated here for the sake of formatting) |
118. | (Then, the PGP signature goes below) |
119. | |
120. | As stated above, the source public whitelist can also contain image or CSS |
121. | files if the developer is truly paranoid. |
122. |____________________________________________________________________________|
123.  
124. ______________________
125. | The Netbeans Plugin \_____________________________________________________
126. | |
127. | For convenience when updating a project on a remote server, without having |
128. | to login through SSH and run the saferscript CLI, a Netbeans plugin would |
129. | be created that would run the command for you every time you update your |
130. | Javascript files. |
131. | |
132. | The whitelist generation would take place entirely on the developer's box, |
133. | but an option to mirror your whitelist source file would be available. |
134. | |
135. | (Netbeans was chosen because it's currently the best free and open source |
136. | IDE for PHP projects on a remote server.) |
137. |____________________________________________________________________________|
138.  
139. ________________
140. | Notary Network \___________________________________________________________
141. | |
142. | Inspired in part by the EFF's SSL Observatory and Moxie Marlinspike's |
143. | Convergence, we would need to set up a robust network capable of handling |
144. | three tasks: |
145. | 1. When a user passes a hostname:SHA hash of a server's whitelist, the |
146. | notaries will see if the hash already exists in its records. If it |
147. | doesn't, the notary requests the white.list, records it, and also |
148. | verifies that the copy it has on file is the same as the copy the user |
149. | forwarded. This should prevent targeted attacks. |
150. | 2. When a user passes the hostname:SHA hash of a server's purported GPG |
151. | public key, the server will check to see if it's a known key for that |
152. | particular host. It will also request the key itself and make sure it |
153. | sees the same key, and store a publicly auditable copy. |
154. | 3. It allows the general public to verify and audit the signed code on |
155. | websites that use this feature, by mirroring this data on a public web |
156. | site on a different network. |
157. |____________________________________________________________________________|
158.  
159. .~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,
160. { PROCESS FLOW (PROGRAM LOGIC) }
161. `^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
162. A request is sent to a webserver
163. Has the user already established the credibility of the code this session?
164. YES:
165. > Just load whatever settings were cached to minimize overhead
166. NO:
167. > Do we have a cached copy of the development team's GPG key?
168. > YES:
169. >> Continue.
170. > NO:
171. >> !Fallback feature so we can support Tor Hidden Services
172. >> (Make it possible to disable this feature?)
173. >> Does /dev.public exist?
174. >> YES:
175. >>> Fetch /dev.public, which should contain the public key
176. >>> SHA2/3 hash the file
177. >>> Pass it to the Notaries for GPG key verification
178. >>> The notaries will let you know if that's a known public key on
179. >>> file for that hostname. This is a weak authentication so...
180. >>> Prompt the user whether or not they trust the public key
181. >>> YES:
182. >>>> Save the public key to cache for the hostname
183. >>> NO:
184. >>>> Disable Javascript, require user to confirm a security exemption
185. >>>> if they wish to still visit the page.
186. >> NO:
187. >>> Abort; SaferScript is not deployed on this host
188. > Does /white.list exist?
189. > YES:
190. >> GET /white.list
191. >> Verify the GPG Signature with the developer's GPG Public Key
192. >> Does it match?
193. >> YES:
194. >>> Download the .js files
195. >>> FOR EACH JS FILE:
196. >>>> Calculate the hash digest
197. >>>> Does it match?
198. >>>> YES:
199. >>>>> Do we have a cached copy that's any different than the new one?
200. >>>>> YES:
201. >>>>>> Alert user to the changes, allow them to review the changes between
202. >>>>>> both versions and decide whether or not to use the new one or the old
203. >>>>>> copy of the file
204. >>>>> NO:
205. >>>>>> Proceed.
206. >>>> NO:
207. >>>>> Blacklist that file, make sure the user knows.
208. >>> IF(SEND_TO_NOTARIES):
209. >>>> SHA2/3 the white.list file
210. >>>> Send to a trusted notary over TLS (respect proxy
211. >>>> settings so it works with Tor, etc)
212. >>>> Notary will request the white.list file and SHA2/3 hash it
213. >>>> Does it match?
214. >>>> YES:
215. >>>>> Is it an old copy or a new copy?
216. >>>>> NEW:
217. >>>>>> Respond affirmatively, but let the user know it's a new copy
218. >>>>> OLD:
219. >>>>>> Respond affirmatively
220. >>>> NO:
221. >>>>> The user is being signled out with different copies of the Javascript
222. >>>>> Reply negatively, offer the user a nonce they can use to request
223. >>>>> a trusted copy of the white.list if it's needed
224. >> NO:
225. >>> Danger, Will Robinson! Let the user know it failed.
226. >>> Do we have a copy of trusted (signed) code?
227. >>> YES:
228. >>>> Use that instead, keeping the user notified that something is wrong.
229. >>> NO:
230. >>>> Disable Javascript, require user to confirm a security exemption
231. >>>> if they wish to still visit the page.
232. > NO:
233. >> Abort. If a GPG key was specified, disable Javascript and require the user
234. >> to confirm a security exemption if they wish to still visit the page. It's
235. >> fishy if they specify a key but have no white.list file.
236. And then everything else proceeds like normal.
237.  
238. MOTIVATIONS AND DESIGN GOALS
239. o Provide a feature analogous to DEP for Javascript (mitigate XSS)
240. o Provide a mechanism to deliver signed Javascript code
241. o Needs to function even on HTTPS and Tor Hidden Services (no special ports)
242. o Needs to use existing cryptographic primitives (GPG, SHA2)
243. o Needs to be released as free and open source software
244. o All code changes need to be publicly auditable in case of attack
245. o All code delivered must be neutral; you and I should see the same code
246. o Users should have the option to reject "Updates" published by servers
247.  
248. ROADMAP
249. o Build a browser plugin that only allows "trusted" Javascript
250. o Build a GPG signature verification feature for selecting "trusted" code
251. o Build the Command Line Interface tool (C, C++)
252. o Build the Netbeans plugin
253. o Write the documentation
254. o Publish an alpha release
255. o Get peer review, code audits
256. o Possibly publish an Internet Standard?