Web asset security (osc22)
and how to verify that Javascript before you trust your data to it
Chaos Computer Club - archive feed · Adam Majer
June 3, 202226m 34s
Audio is streamed directly from the publisher (cdn.media.ccc.de) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
Before downloading a software release, we all know to verify the GPG signature before even trying to unpack that tarball. And when such a signature is not available, we all know to chastise the developer for not taking security seriously. But what happens with deployed web resources? How can these be verified before we trust them with our secure data?
I would like to show a proof-of-concept of using out-of-band verification (aka, DNS) of web content (.js, .html, .jpeg, etc) prior to allowing it to execute and trusting it with our data.
Before downloading a software release, we all know to verify the GPG signature before even trying to unpack that tarball. And when such a signature is not available, we all know to chastise the developer for not taking security seriously. But what happens with deployed web resources? How can these be verified before we trust them with our secure data?
I would like to show a proof-of-concept of using out-of-band verification (aka, DNS) of web content (.js, .html, .jpeg, etc) prior to allowing it to execute and trusting it with our data.
about this event: https://c3voc.de
Topics
osc2238412022New Technologies