Ensuring JavaScript Security


Rationale/Elevator Pitch

On September 24, 2014, the jQuery website was hacked. Although the public CDN-hosted libraries weren't modified (every writeup about the hack was very quick to mention that), it does raise the question... "What if the libraries were modified?" If the jQuery CDN were hacked and the library source modified, the millions of websites across the internet that use it would then be exposed to whatever the hacker had in mind. How can we detect modifications? prevent modified code execution? protect our users?

When distributing code in many other platforms, the code is first verified and before execution, verified. This same concept can apply to JavaScript source as well. By utilizing PGP code signing, any developer can ensure that the code that is executed on his page is the code he intended, without fail.

Quick Demo

I have a working prototype that does everything within the page. I created my own x-script tag to prevent the browser from automatically fetching the JavaScript. These tags are discovered by my own JavaScript code. The code fetches each file, its key and signature (if verification is to be performed), and then executes the code after successful verification.

Next Steps

Now that I have a working prototype, I'd like to work on moving the code deeper into the browser. The code currently relies on LocalStorage as a hash and key cache, which obviously isn't preferred. Also, code verification would perform much faster running natively, rather than in JavaScript.

Contact Me

I can be reached at [email protected]. Learn more about me at http://mikesir87.io.