I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.
I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.
My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.
How can I best do this ? Would it be something like.
- Load remote Javascript with an ajax call.
- MD5 hash and pare.
- If in good shape execute it.
I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.
I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.
My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.
How can I best do this ? Would it be something like.
- Load remote Javascript with an ajax call.
- MD5 hash and pare.
- If in good shape execute it.
- 2 Couldn't the client mess with the checksum puting function itself? – Anirudh Ramanathan Commented Mar 18, 2013 at 15:01
- Maybe store your code on another server. A CDN that only you can access. That way you can be sure it's fine. – gen_Eric Commented Mar 18, 2013 at 15:01
- How crucial is this at the point of checking if client-side? I'm pretty sure you know client-side is not safe in practically any way. The integrity check really must be done by a server-side script and then feed it back to the JavaScript, otherwise you will face immense security problematics. – user1467267 Commented Mar 18, 2013 at 15:02
- Anything that runs in a browser can be tampered with. Either directly or scripts loaded with an extension or add on. – datasage Commented Mar 18, 2013 at 15:02
- 4 I'm pretty sure that using github as a CDN is explicitly discouraged. – Pointy Commented Mar 18, 2013 at 15:02
1 Answer
Reset to default 6There is (or soon WILL be) an elegant way to achieve this now (2 years after the question was asked).
http://www.w3/TR/SRI/
You can now specify the "integrity" parameter inside the script tag:
<script src="https://github./<path>/yourscript.js"
integrity="sha256-SDf......">
This won't work for the script loaded via an AJAX requests. But you can potentially reference scripts as script tags pointing at the CDN (ideally not at github directly)