Let's make meteor the most secure framework ever - Subresource Integrity


#1

Hello everybody,

as some of you may know there’s been a lot of talk about Meteor and Mylar in the academic and industrial environment, and I’m creating this post to push the community to make an even better job.

Mylar is a very cool implementation of some new mathematical concepts, if you want to find out more check this. It suffice to say that they did something no one did before, to help developers to make apps more secure than anything else they could do before.

Mylar + SSL makes meteor much more secure, but in order to call it potentially secure we need an additional step: authenticity. We need to be able to verify that the source code loaded is authentic, and Subresource Integrity does just that. It uses a cryptographic hash algorithm to verify source authenticity in a way meteor alone would never be able to.

SRI has been recently added to the w3c drafts, and with the stable release of the google browser today it has reached widespread support on Chrome and Firefox.

Mylar + SSL + SRI would make a Meteor app deployed with phonegap very very secure, and would greatly increase the security of the average web app. Plus it would solve the problem of package security, and add a meteor way to do secure stuff, which I’m sure will be imitated by many other frameworks.

People would use meteor knowing they are already covered on a lot of attack surface. Compromisation of a server would allow to keep business as usual, as the attacker with SSH root access could at most stop the app :smile:, without being able to read anything meaningful from the database.

For the next two weeks I will be busy as hell, after that I will try to write a paper on the subject, with the goal of finding new cryptographic database schemas. I will sure cover SRI and I will try to push some commits here and there, but if more people will adopt this concept, I’m sure we could make meteor the most secure framework ever. Qualitatively more secure than anything else before.


Howto? Meteor Webpack 2 w/o legacy meteor-webpack
#2

Just to clarify an objection some people might think about:

Won’t this have a performance hit on my sever?

  1. It would be optional, like SSL
  2. It would not cost much more than SSL, resource wise
  3. It is well worth the cost
  4. There are ram-speed hashing algorithms for the CPU already ( xxhash )
  5. We can always use openCL / webCL to implement (already existing) blazing fast algorithms, being the first framework to use openCL in production. A big step up.

#3

Is there any intention to implement this into Meteor? And are there other end to end encryption options available for Meteor?


#4

Both React and Vue.Js supports it, I couldn’t make it work with blaze.


#5

Apparently there was an improvement made to Mylar too.