Should you use SRI for self-hosted scripts?
NaBloPoMo security sri · 2 comments · 250 words · read ~600 times.
Here's a curiosity which I found while stumbling through the Sony PlayStation store.
The website loads internally hosted scripts using SRI (SubResource Integrity). Why?
Does your work require you to swipe an ID card to access the building? That seems pretty normal.
Does your work also remind you to keep your badge visible, and to challenge people who aren't wearing theirs? That also seems pretty normal. Sometimes security is breached, so we have multiple layers to keep us safe.
In Sony's case, they may know that many people have write access to the /assets/ directory, but very few can write to the product templates. So they add a further check even on code which they serve themselves.
This is defence in depth. But is it sensible?
If you're running a simple site, there's probably no benefit to this. If someone has the ability to maliciously alter a single JS file on your server, they probably have the ability to change the SRI hashes you're embedding.
But if you have a large and complicated infrastructure, it makes sense to double-check everything.
If you think I'm wrong - stick a comment in the box below.
FJ says:
This strategy can also conceivably help defend against automated attacks. Many bots alter well-known files in well-known locations, especially when popular CMSs are involved, and do not necessarily touch anything else on the server, which would require knowledge of the local paths and setup — and heighten the chances of being discovered.
For example, if a vulnerability were to affect a well-known WordPress theme, which is not unheard of, I can imagine an attack bot using the exploit to booby-trap a JavaScript library that is known to be part of the theme (something long and dense and boring like a minified jQuery file), without altering anything else. The internal SRI check would defend against this.
Marcus Downing says:
Sony aren't just at theoretical risk. They have been breached multiple times in the past. They KNOW their systems are compromised, so this makes sense.
Given the constant stream of malware, clever attacks vectors, and leaks from high places, it would be wise for more companies to act like this. Don't pretend your internal security is perfect.