为开放网络提供可信赖的 JavaScript
Mozilla 提出了一种名为 Web Application Integrity, Consistency and Transparency (WAICT) 的新技术,旨在解决开放网络中服务器恶意篡改客户端代码的安全问题。
WAICT 允许网站将客户端代码与清单进行加密绑定,并将该清单记录在公开可审计的日志中,以确保代码完整性和透明度。
这样,浏览器可以拒绝未经公开记录的代码,提高安全性,并使攻击行为可追踪。
Mozilla 正在与 Cloudflare、Freedom of the Press Foundation 和 Meta 等合作伙伴合作,并在 Firefox Nightly 中发布了 WAICT 的早期原型以供测试,后续将进行标准化。
查看原文开头(英文 · 仅前 3 段)
The open web is a critical platform for applications that handle highly sensitive data, from private communications to financial transactions and medical records. Traditionally, servers are trusted to deliver the appropriate code and resources for their web applications to browsers, who then provide a secure and isolated environment for their execution. In some circumstances, this trust model falls short.
Consider a browser-based messaging application, like Signal or WhatsApp, which uses end-to-end encryption. The browser depends on the server to provide a trustworthy javascript implementation of the app; which ensures the user’s messages and cryptographic keys are suitably protected. A malicious or compromised server could selectively serve modified code to some users, undermining their security with little risk of detection. This challenges the basic premise of end-to-end encryption: that a misbehaving server should not be able to compromise user security.
Towards Verifiable Security on the Web
※ 出于版权考虑,仅引用前 3 段。完整内容请阅读原文。