Skip to content

Instantly share code, notes, and snippets.

@SoniEx2

SoniEx2/cdns.md Secret

Last active March 21, 2018 23:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SoniEx2/0b7e0b868fb82b8b0a835c3e45e1435a to your computer and use it in GitHub Desktop.
Save SoniEx2/0b7e0b868fb82b8b0a835c3e45e1435a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cdns.md

CDNs are a threat to privacy - here's how to fix them

Abstract

CDNs are used to distribute e.g. the jquery for most websites out there. This makes the browser able to cache it and thus load it faster.

This document talks about practical attacks by or against CDNs and potential solutions to them.

1. Caching

Browsers cache data, but not metadata. Every time you load a website, it's still gonna send a request for the metadata.

There's some limited caching of metadata, but it's so limited as to be practically useless.

The browser also sends some metadata of its own:

  • The user agent
  • The IP address (indirectly through a TCP connection)
  • The referrer

2. Logging

The flawed caching mechanism on its own is not a big deal - an active attacker would be able to link IPs and referrers for new requests, but would quickly be found out.

On the other hand, a much more serious attack involves logging. Most CDNs log, including IP addresses and referrer headers. If the attacker is in, it's much easier for them to just grab all existing logs they can find than to log all new requests.

3. Modification

CDNs can modify the served files at any time. While on one hand this can be good, e.g. newer minification techniques could reduce the size of JS files, this also means they could start serving malicious files at any time. They can also make files unavailable at any time, breaking existing websites.

4. Denial-of-Service

CDNs, like any other service, can suffer from DoS attacks, close down, or delete some older files.

Modern protocols like DNSSEC make some DoS attacks significantly harder to pull off, but not entirely out of question.

Mitigations

Currently, the following mitigations are available:

  • Subresource tags can specify a hash, this is called "subresource integrity". This protects the user from malicious scripts, but not from denial-of-service.
  • Some tags can specify a referrer policy. This can be used for cross-domain tracking protection.

Potential future mitigations include:

  • Allow <script> tags to specify a referrer policy.
  • Allow longer-term metadata caching. This is mainly a performance/efficiency benefit as the browser wouldn't have to make as many HTTP(S) requests, but this also cuts down on the number of times metadata is sent to the CDN.
    • Actually, subresource caching should just be straight-up overridable by the webpage.
  • Magnetized resources could permanently solve DoS and availability problems.

One way some of these might look like:

<script src="cdn" integrity="sha256-some_base64_here" referrerpolicy="no-referrer" type="text/javascript"></script>

However, most developers will just copy the src, and not pay attention to the hash or referrer options.

Another solution is to use magnetized transfers as a CDN. This still solves the mutability, tracking, and caching problems, while also solving availability problems and providing much better locality - in many households, files could be fetched straight from LAN.

Conclusion

CDNs are broken by design. There are some mitigations, but we aren't there yet.

References

Subresource Integrity: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

Referrer Policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

TODO: fill this in

License

Copyright (C) Soni L. 2018

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment