Improving the Trustworthiness of JavaScript on the Web
a day ago
- #web-security
- #transparency
- #cryptography
- Javascript cryptography is considered harmful due to code distribution issues.
- Smartphone apps avoid these issues through app store security features like integrity, consistency, and transparency.
- WAICT (Web Application Integrity, Consistency, and Transparency) is a W3C-backed effort to enhance web security.
- WAICT uses integrity manifests and subresource integrity (SRI) to define and enforce web application integrity.
- Transparency in WAICT ensures web application code is stored in a publicly accessible, append-only log.
- WAICT includes a prefix tree to manage enrolled sites and ensure transparency.
- Witnesses verify and sign updates to the prefix tree to maintain trust.
- WAICT aims to mitigate inconsistency issues like tree and temporal inconsistency.
- Extensions like WEBCAT can be integrated into WAICT for additional security features like code provenance.
- Deployment considerations include roles like transparency services, witnesses, asset hosts, and clients.
- WAICT is compatible with alternate ecosystems like Tor, using blockchain for transparency.
- Standardization efforts are ongoing, with subresource integrity for more data types as a next step.