7

I run a Bitcoin wallet that uses browser side Javascript to encrypt and decrypt Bitcoin keys.

I want to make the javascript available for scrutiny on Github, and then load the javascript from the github repository.

My problem is I need to check the integrity of the loaded Javascript to ensure at hasn't been tampered with at Github.

How can I best do this ? Would it be something like.

  1. Load remote Javascript with an ajax call.
  2. MD5 hash and compare.
  3. If in good shape execute it.
Ian Purton
  • 15,331
  • 2
  • 27
  • 26
  • 2
    Couldn't the client mess with the checksum computing function itself? – Anirudh Ramanathan Mar 18 '13 at 15:01
  • Maybe store your code on *another* server. A CDN that only you can access. That way you can be sure it's fine. – gen_Eric Mar 18 '13 at 15:01
  • How crucial is this at the point of checking if client-side? I'm pretty sure you know client-side is not safe in practically any way. The integrity check really must be done by a server-side script and then feed it back to the JavaScript, otherwise you will face immense security problematics. –  Mar 18 '13 at 15:02
  • Anything that runs in a browser can be tampered with. Either directly or scripts loaded with an extension or add on. – datasage Mar 18 '13 at 15:02
  • 4
    I'm pretty sure that using github as a CDN is explicitly discouraged. – Pointy Mar 18 '13 at 15:02
  • I should clarify. This is to ensure the code on the remote CDN or Github has not been tampered with. If I tell you the site it might be more clear. https://www.strongcoin.com – Ian Purton Mar 18 '13 at 15:05

1 Answers1

6

There is (or soon WILL be) an elegant way to achieve this now (2 years after the question was asked).

http://www.w3.org/TR/SRI/

You can now specify the "integrity" parameter inside the script tag:

<script src="https://github.com/<path>/yourscript.js"
        integrity="sha256-SDf......">

This won't work for the script loaded via an AJAX requests. But you can potentially reference scripts as script tags pointing at the CDN (ideally not at github directly)

DmitryK
  • 5,542
  • 1
  • 22
  • 32