signed content

J. Lambrecht
21 August 2015, 11:55
Have Hiawatha work with a certificate to sign the pages ( static and rendered content ).

The signature should be inserted into the page. This may be as a header ( html ) or as a comment ( javascript and css ). The insertion may be static ( on-disk ) or dynamic ( on-the-fly )
Hugo Leisink
21 August 2015, 12:11
What do you try to achieve with this? There is no browser that supports this, so what's the point of it?
J. Lambrecht
29 August 2015, 11:18
This must be the most efficient security feature i can think of. I've though of a number of what-if's and but-if's, the end count remains it could prove an invaluable feature. Given Hiawatha would not be the target but the server hosting Hiawtha would for example.

Writing a browser add-on or plugin to support this would not be impossible. Given the recent announcement for Mozilla to start working on add-on/extension compatibility with Google Chrome, this could even happen with less effort than before.

Offering such a feature could extend the security perimeter into content. These hashes could be stored off-site to maintain trustability for example.

One variation would be there would not be a hash in the content but the browser would calculate it on page loading. Send it back to the server/hiawatha which would compare it to the stored value. In case there is no match, the server could warn the user the content has been messed with.
Hugo Leisink
29 August 2015, 16:37
I still don't see how this adds to security. The connection can already be secured via HTTPS. This only leaves the server itself. But if that one is compromised, your solution won't help because the hashes can than also be forged.
This topic has been closed.