Trust your CDN but verify with SRI
I attended a SecTalks meetup last night which talked about the dangers of Content Delivery Networks being compromised (CDNs).
This implicit trust of external/third party resources can put those websites at risk of being compromised, even without those web servers being hacked.
How so?, you might ask.
A well known example of this sort of attack was when Reuters’ website got hacked back in 2014 and had their website redirected to somewhere else. Reuters itself wasn’t hacked, but the CDN it used was.
Trust but Verify
This can be done using the integrity attribute. See examples below.
The value of the integrity is basically the hash of the file. Currently the supported hash functions are SHA-256, SHA-384 and SHA-512.
How do I generate the hash?
You can run the sha256sum, sha284sum or sha512sum command on a terminal to generate the hash.
Alternatively, there are websites which does the same thing too, such as the SRI Hash Generator. However with this option, it might lead you to ask how you can trust that those SRI generator websites aren’t compromised themselves.
On top of that some common CMS have plugins for doing SRI, such as the WordPress SRI manager plugin.
Not all browsers currently support SRI
The specification is currently only supported on Firefox, Chrome and Opera. So those using Internet Explorer and Safari don’t currently benefit from SRI.
However looking at the recent browser statistics, those three browsers make up for almost 90% of the browser market share.
SRI allow websites to enjoy the performance benefits of using CDNs and give companies peace of mind that the content they are using have not been compromised.