7

I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.

I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.

My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.

How can I best do this ? Would it be something like.

  1. Load remote Javascript with an ajax call.
  2. MD5 hash and compare.
  3. If in good shape execute it.
Improve this question
7
  • 2
    Couldn't the client mess with the checksum computing function itself? Commented Mar 18, 2013 at 15:01
  • Maybe store your code on another server. A CDN that only you can access. That way you can be sure it's fine. Commented Mar 18, 2013 at 15:01
  • How crucial is this at the point of checking if client-side? I'm pretty sure you know client-side is not safe in practically any way. The integrity check really must be done by a server-side script and then feed it back to the JavaScript, otherwise you will face immense security problematics. Commented Mar 18, 2013 at 15:02
  • Anything that runs in a browser can be tampered with. Either directly or scripts loaded with an extension or add on. Commented Mar 18, 2013 at 15:02
  • 4
    I'm pretty sure that using github as a CDN is explicitly discouraged. Commented Mar 18, 2013 at 15:02

1 Answer 1

Reset to default
6

There is (or soon WILL be) an elegant way to achieve this now (2 years after the question was asked).

http://www.w3.org/TR/SRI/

You can now specify the "integrity" parameter inside the script tag:

<script src="https://github.com/<path>/yourscript.js"
        integrity="sha256-SDf......">

This won't work for the script loaded via an AJAX requests. But you can potentially reference scripts as script tags pointing at the CDN (ideally not at github directly)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.