Making Javascript safe
Javascript is growing strong. It’s the universal language for online development. It allows anything – from file access to content modification, even video- and audio chats are now scriptable. But what about security? A new mechanism guarantees safe script even on corrupted servers.
Almost all new browsers support a huge variety of cool functionality relying purely on JavaScript for its magic. You can decode mp3 files, play MS-DOS games like Duke 3D or Doom, you can perform extensive crypto, modify the webpage you are viewing, access the keyboard, the camera or microphone – you can even run a full Linux kernel within your browser. JavaScript has come a long way. And more stuff gets added every day.
Whenever you visit a web page, all JavaScript functionality is silently loaded into your browser. You don’t know what is does. Modern obfuscating technology makes it nearly impossible – even for professionals- to quickly analyze or verify the scripts. Whenever you re-visit a page or reload it, new or modified JavaScript is loaded into the browser. Add so called XSS problems and you understand, that “normal” JavaScript is both, a curse and a blessing.
The developers understand that of course. A “Content-Security-Policy” (CSP) instrument was added to modern browsers that virtually eliminates Cross-Site-Scripting (XSS). This requires strict JavaScript programming and the modification of older web sites – but it is worth the effort. Combine CSP with an encrypted communications channel and you can pretty much assume a safe environment.
But all is not good. Because malicious code can still be transferred into your browser. Even with CSP and encryption. If it is modified on the server.
Let’s say you do electronic banking. The bank uses CSP and encryption to protect whatever is happening in your browser. But what if somebody would be able to modify the content directly on the bank’s web server? CSP would not recognize this and your browser would execute the code without you even knowing. The JavaScript code might have been ok yesterday, but somebody modified it and now the modified, malicious code is running in your browser. Who would truly accept the fact, that we are constantly downloading and executing code (=programs) on our computers without even knowing what this code actually does?
We all do. Every day.
We implicitly trust web sites and developers that they don’t want to harm us. We don’t know them. We can’t sue them if they are bad. We can’t even pursuit them because they might have attacked the bank (or any other web site) from overseas.
This is unacceptable.
I am doing a lot of JavaScript development. My projects (like SECUMUNDO) rely heavily on secure script code for encryption and other mechanisms. So I developed a mechanism that, in combination with CSP and TLS, ensures that the JavaScript-code (or other elements of the website) can’t be modified without me knowing. You can be sure, that the JavaScript code loaded into your browser is exactly the way I wrote it. It may still have errors and yes, I would be able to try to harm you, but if you trust me or my web site, you can rest assured that nobody but me will be able to modify my code.
Here is how that works:
Before publishing, a script on my development server generates a cryptographic hash for each JavaScript or other static web site elements. All those hashes will again be hashed and signed with my personal private key. A little plugin in the browser silently monitors all elements and re-calculates the hashes comparing them to the original ones. If the signature doesn’t match or if a hash doesn’t compute correctly, your browsers memory will be cleared and you will be notified. Anybody using SECUMUNDO for secure and private file storage or communications can do so without any fear of silent eavesdropping or worse.
This method doesn’t need any modifications to the workflow, you don’t have to change any code, it’s flexible and easy to implement.
Though I have filed a provisional patent for this technology, I am willing to share and to cooperate in order to help making our online world a little safer.
Contact me if interested.