Security

What if China went all GitHub on your website? Grab this coding tool

But testing tool's taking flak from top infosec bods

A security developer has released a coding tool that aims to help websites test their defences against a China-style GitHub attack.

China upgraded its infamous website blocking system, dubbed The Great Firewall, last year so that it was capable of blasting foreign businesses and orgs off the internet.

The weaponised censorship tool was reportedly deployed against US-based GitHub.com, which was hosting two projects that circumvented the Great Firewall's censorship mechanisms at the time, and GreatFire.org, a free speech website dedicated to fighting China's web censorship last March.

The Great Firewall of China was used to change JavaScript files being returned for requests to Baidu, in order to push a massive Layer 7 traffic flood against Github.

GitHub mitigated the assault but concerns remained that follow-ups, and perhaps even more powerful JavaScript-based DDoS assaults, might be launched.

In response, internet plumbers developed a technique called Subresource Integrity (SRI), which is geared towards pulling the fangs from this type of attack, as previously reported. The technique, backed by the Word Wide Web Consortium (W3C), assigns a cryptographic hash to Content Delivery Network-hosted JavaScript and Cascading Style Sheet (CSS) assets to protect them against tampering.

In order to boost this security protection technique, Gabor Szathmari has published a new service to scan and grade websites for SRI hashes. The sritest.io service scans submitted websites and grades them against compliance.

More details about SRI and the scanning service can be found in the announcement on Szathmari’s blog here.

Szathmari told El Reg that the main target audience for the service was website developers. “These developers can go on to any URL on the website they are developing, and quickly assess and verify if SRI is implemented,” he explained.

Website owners and penetration testing security consultants might also find the service useful, Szathmari added.

Dynamic dilemma

Despite Szathmari's enthusiasm and encouragement of others, as well as the backing of the W3C, some independent experts, at least, remain unconvinced of the benefits of SRI technology. For example, Rob Graham of Errata Security told El Reg that although SRI is useful in “some narrow situations” the roll-out of the technology would be problematic in dynamic website environments.

“It [SRI] is of course useful in some narrow situations, but the article largely gets it wrong," according to Graham. “The issue isn't that they'll change on the network (as in the Great Firewall issue), but that files will change on the third party provider. We can already stop the network issue with SSL/TLS.”

“Moreover, it's hostile to the web, where files are changing constantly. You don't want a fixed JavaScript library that won't change, but the latest version with bug fixes and support for newer browsers,” he added.

Great Cannon blocker

Szathmari could not be reached immediately to respond to Graham’s criticism of the utility of SRI. However his earlier explanation of the benefits of SRI gives a flavour of the arguments in favour of the technology.

“SRI could have partially mitigated that particular type of attack Great Cannon was doing. What they did is [serve] an advertising script from Baidu’s CDN. If someone visited any Chinese website from Taiwan for example, the great firewall replaced Baidu’s script with a malicious payload.”

SRI offers at least partial remediation against this type of JavaScript-based DDoS, according to Szathmari.

“SRI could have partially prevented this, because China was tampering with cleartext traffic served over http:// and passing through the Great Firewall of China,” Szathmari argued. “They could not tamper with https:// traffic though. However, China already demonstrated that they are willing to tamper with innocuous web traffic to weaponise it, and nothing prevents them to modify the script at Baidu’s data-centres next time.”

Applications of the technology extend beyond further alleged malfeasance by the Chinese state, according to Szathmari.

Someone broke into MaxCDN in 2013 and tampered with the popular scripts served from their side project named BootstrapCDN, as explained in a post-mortem by the firm after the attack here.

SRI could have protected website visitors in this case, according to Szathmari, who adds that BootstrapCDN now includes the SRI hashes in the tags that website owners can copy-paste into your own website.

Slow train to SRI

SRI seems to be akin to DNSSec in that there's a genuine debate about how useful the technology is and that this may be a factor in its slow roll-out, it seems to El Reg's security desk.

Szathmari has his own take on the slow adoption of SRI.“The technology is relatively new and the adoption rate is poor, because website developers need to modify their HTML source code to include SRI hashes in the script and link tags,” he told El Reg.

“Website owners, who are not developers, may also add SRI without any programming skills. For instance WordPress now offers a plugin that adds the SRI hashes automagically once the plugin is installed,” he added. ®

Sponsored: 2016 Cyberthreat defense report