check integrity of downloaded files
adrelanos opened this issue · 0 comments
Threat model:
- website is more trusted
- mirrors / CDNs are less trusted
Under this threat model it would make sense if something similar to subresource integrity could be used.
<script
src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
Unfortunately, subresource integrity does not support user downloaded files at the of writing. Ticket: w3c/webappsec-subresource-integrity#68
And from the ticket it also doesn't seem like support for that is coming anytime soon.
Meanwhile would it be possible to do integrity check with javascript? Could the javascript look at the download stream, run it through "$sha512
" [1] hashing and notify at the end of the download if the hashsum matches or mismatches?
Tails implemented a similar solution. References:
- https://tails.boum.org/contribute/design/download_verification/
- https://tails.boum.org/install/inc/js/download.js
The disadvantage is, that the user has to:
- complete the download
- click at the
Verify your download
button - select the file
- press ok
- wait for the verification to be completed
That's non-ideal from a usability perspective.
feature request:
Could download.js
automate this?
[1] Writing $
sha512
because that's just a placeholder for "hashing algorithm". Shouldn't be hardcoded to be future-proof.