I attended a Sydney SecTalks meetup last night which talked about the dangers of Content Delivery Networks being compromised (CDNs).

Lots of websites source their javascript and css resources from CDNs to improve their website’s performance. Examples of CDNs are jquery, bootstrap, google api and Amazon S3.

This implicit trust of external/third party resources can put those websites at risk of being compromised, even without those web servers being hacked.

How so?, you might ask.

Well through the CDN being compromised, the website might be sourcing infected javascript files with malicious code (such as keyloggers) or with css stylesheets that can deface your website.

A well known example of this sort of attack was when Reuters’ website got hacked back in 2014 and had their website redirected to somewhere else. Reuters itself wasn’t hacked, but the CDN it used was.

Trust but Verify

A recent W3C specification, Subresource Integrity (SRI), allows websites that include javascript to stop working if that file had been modified. This allows websites to benefit from the performance gain of using CDNs without the fear that a CDN compromise can harm their website.

This can be done using the integrity attribute. See examples below.

The value of the integrity is basically the hash of the file. Currently the supported hash functions are SHA-256, SHA-384 and SHA-512.

How do I generate the hash?

You can run the sha256sum, sha284sum or sha512sum command on a terminal to generate the hash.

Alternatively, there are websites which does the same thing too, such as the SRI Hash Generator. However with this option, it might lead you to ask how you can trust that those SRI generator websites aren’t compromised themselves.

On top of that some common CMS have plugins for doing SRI, such as the WordPress SRI manager plugin.

Not all browsers currently support SRI

The specification is currently only supported on Firefox, Chrome and Opera. So those using Internet Explorer and Safari don’t currently benefit from SRI.

However looking at the recent browser statistics, those three browsers make up for almost 90% of the browser market share.

Conclusion

SRI allow websites to enjoy the performance benefits of using CDNs and give companies peace of mind that the content they are using have not been compromised.