Link »ØÌæs

¸«²ò¡¿ËÝÌõ¡¿ÈÇ 0.6 - 2008-07-09

Introduction

Link »ØÌæs is a system for µö¤¹ing a HTML link to ¸ÀµÚ¡¿´ØÏ¢ not only a particular »ñ¸», but a particular ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of that »ñ¸», in a way that the fetching ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í can ¼Â¾Ú¤¹¤ë. This is an updated and ¤Ò¤É¤¯ ½¤Àµ¤¹¤ëd ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of an ½é¤á¤Î Äó°Æ in a blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.

½é¤á¤Ï, link »ØÌæs were Äó°Æ¤¹¤ëd as an ³ÈÄ¥ to URL syntax. This idea met with a chilly ´¿·Þ²ñ on ¤µ¤Þ¤¶¤Þ¤Ê IETF discussion ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ës, so it has been reformulated as an ³ÈÄ¥ to HTML. This makes it useful in a narrower »Ï¤á¤ë¡¤·è¤á¤ë of ¾õ¶·s, but half a loaf is better than no bread.

Idea

We define an Éղà ¤»¤¤¤Ë¤¹¤ë, "checksum", which is valid on all HTML elements which ¸ÀµÚ¡¿´ØÏ¢ a remote »ñ¸» using a URL - which I believe are <a>, <link>, <img>, <script>, <style>, <È¿ÂФ¹¤ë>, <applet>, <area>, <iframe> and <¤Ç¤Ã¤Á¤¢¤²¤ë¡¤¿Í¤òºá¤Ë´Ù¤ì¤ë>. (Some of these elements have more than one parameter which can be a URI, but it seems to me that the 'main' one is obvious in all »öÎã¡¿´µ¼Ôs.) For example:

<a href="http://www.example.com/path/to/downloadfile.Ãù¢½ê" checksum="sha256:09F9...">Download downloadfile.Ãù¢½ê</a>

The "sha256" is a short lower-»öÎã¡¿´µ¼Ô string identifying a particular hash algorithm and the numbers and letters are the SHA256 digest, or "»ØÌæ", of the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë in question. For ´ËϤ¹¤ë of ¼Â»Ü, this ´ð½à supports a Áª¤Ó½Ð¤¹¡¿ÆÈ¿È hash algorithm, SHA-256, which is considered °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë at the time of Îá¾õing. However, if problems develop, ¤½¤Î¾å¤Î algorithms could be standardised.

When downloading a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë with a URL of this form, the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í may ·×»»¤¹¤ë the checksum of the downloaded ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë and tell the »ÈÍÑ¼Ô if there is a mismatch. If there is a mismatch, the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í MUST ºï½ü¤¹¤ë the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë.

This has several »ÈÍÑ¡¿Å¬ÍÑs. For example, if a company is ¶¡µë¤¹¤ëing a °ÂÁ´ update, by perhaps linking to it from their website or in an email, then the downloader can be more ³Î¤«¤Ê that they are getting the ¡¼¤¹¤ë¤Ä¤â¤ê¤Ç¤¢¤ëd ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. To ÂåÍÑÉÊ¡¤¿Í a trojan, the ¹¶·â¼Ô would need to Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹ both the download ¾ì½ê¡¿°ÌÃÖ and the website ¶¡µë¡Ê¤¹¤ë¡Ëing the ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë - or the »ÈÍѼÔ's mailbox. In ¿·µ¬²ÃÆþ, if the company is using a mirror ÌÖ¾õÁÈ¿¥ to ¶¡µë¡Ê¤¹¤ë¡Ë the updates, it gives them some ¿®ÍÑ¡¿¿®Ç¤ that the ʬÇÛ¤¹¤ëd machines in the ÌÖ¾õÁÈ¿¥ are not serving a corrupt or trojaned ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë.

This ¼êÃÊ is not supposed to be a ¸òÂØ¡¿Êä½¼ for "proper" cryptography. It is ñ¤Ë a way of raising the ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È, whose Ĺ¡¤»ØƳ¼Ô advantage is that it Í׵᤹¤ës no work from the end »ÈÍѼÔ. However, it would have ¶¡µë¤¹¤ëd much quicker notification of at least some of the ºÇ¶á¤Î ¥½¥Õ¥È¥¦¥§¥¢ download trojaning attacks. Here's a quick ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of the number of times I have discovered that this has happened:

• Sendmail (2002)
• OpenSSH (2002)
• tcpdump/libpcap (2002)
• Fragrouter (2002)
• BitchX (2003; would not have been ˸¤²¤ëd by LF)
• PostNuke (2004; not sure if LF would have helped)
• SquirrelMail (2007)
• WordPress (2007)

Advantages

• Neither ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë provider nor »ÈÍÑ¼Ô needs any specialised PKI Æ»¶ñs.
• There is no need for any changes to web servers.
• The ²þÁ±¤¹¤ëd °ÂÁ´ is ¶¡µë¤¹¤ëd in supporting »ÈÍÑ¼Ô ¥¹¥Ñ¥¤¡¿¼¹¹Ô´±s without any need for »ÈÍÑ¼Ô interaction or configuration.
• The °ÂÁ´ can be ¶¡µë¤¹¤ëd on any type of ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, no »öÊÁ what its ÆâÉô¤Î structure.
• No ¸í¤Ã¤¿ sense of °ÂÁ´ is given - if the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë downloads Àµ³Î¤Ë, the »ÈÍÑ¼Ô ¥¹¥Ñ¥¤¡¿¼¹¹Ô´± should behave as with a normal, unmarked download.

Error Behaviour

The checksum can be checked for °æ¸Í¡¿ÊÛ¸î»ÎÀÊ-formedness (ÄûÀµ¤¹¤ë number of characters, hex digits only) at the time it is requested. If it is not °æ¸Í¡¿ÊÛ¸î»ÎÀÊ-formed, the »ÈÍÑ¼Ô ¥¹¥Ñ¥¤¡¿¼¹¹Ô´± should give an error straight away and not request the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. E.g. "This link is broken; download is not possible.".

If, after download, the hashes do not match, the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í MUST ºï½ü¤¹¤ë the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë so as to ˸¤²¤ë the »ÈÍÑ¼Ô ¿­¤Ó¡Ê¤ë¡Ëing Àܶá to it. I believe this strict behaviour is reasonable, as the mismatch could be for one of several ¿äÏÀ¤¹¤ë¡¿Íýͳs:

1. The download has been unrecoverably corrupted
2. The download was changed (trojaned)
3. The ½é¤á¤Î URL was incorrectly created

In all »öÎã¡¿´µ¼Ôs, giving the »ÈÍÑ¼Ô Àܶá to the downloaded data is a ´í¸± - in the »öÎã¡¿´µ¼Ô of #3, because you can't tell the difference between it and #2. The URL creator ÌÀÇò¤Ë thought the data important enough to use link »ØÌæs, and the Êݸî has flagged a problem. So going »Ù±ç¤¹¤ë to the owner for a proper URL is reasonable. If ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë owners want downloaders to ÊÝ»ý¤¹¤ë the download even if the hash is different, they should ´Êñ¤Ë not use link »ØÌæs.

So the error would say something like: "·Ù¹ð: the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë at URL <url> is corrupted and unusable. Please ÀÜ¿¨¤¹¤ë the person or ¾ì½ê¡¿°ÌÃÖ ÀÕǤ¤¬¤¢¤ë the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë." Or, for something like a download ·Ð±Ä¼Ô¡¿»ÙÇÛ¿Í: "¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë corrupt. Download failed. ÀÜ¿¨¤¹¤ë ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë owner".

Á°¿Ê¤¹¤ëd »ÈÍѼÔs could, of course, re-request the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë without the »ØÌæ using Copy Link ¾ì½ê and pasting into the URL ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È. But it is assumed that anyone who knows how to do that would understand the consequences.

È¿ÂÐs

This is just a reinvention of the Content-MD5 HTTP header

No. Content-MD5 is sent by the same server which is serving the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë; if the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë gets changed or corrupted, the web server will most likely recalculate the Content-MD5 header. So there is no Áý²Ã¤¹¤ë in °ÂÁ´.

If the browser gives an error, people will just use another browser

This argument could be used against any ·×²è¡¿±¢ËÅ which ˸¤²¤ës browser »ÈÍѼÔs doing dangerous things. Yet still browsers have recently ´ï¶ñ¡¿¼Â»Ü¤¹¤ëd anti-phishing and anti-malware ²Ê³Ø¡Ê¹©³Ø¡Ëµ»½Ñs. Also, if one person bypasses the error by switching browser, another will see the significance and ·ÙÊó the ¾ì½ê¡¿°ÌÃÖ. Only a subset of »ÈÍѼÔs have to be using a LF-supporting ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í in order for the takedown time for µ¶¤Î ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës to be ²þÁ±¤¹¤ëd, and therefore the Êݸî level to be Áý²Ã¤¹¤ëd.

¤½¤Î¾å¤Î Considerations

For °ÂÁ´ ¿äÏÀ¤¹¤ë¡¿Íýͳs, the »ØÌæ would need to be Êݸ¤¹¤ëd through any redirects. Such redirects should not be able to ̵»ë¡¿Ìµ¸ú the »ØÌæ with another one.

Compatibility

Using an ¤»¤¤¤Ë¤¹¤ë to »ý¤Ä¡¿¹´Î±¤¹¤ë the checksum ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë makes the links ´°Á´¤Ë backwardly-ξΩ¤Ç¤­¤ë with ¸½ºß¤Î HTML »ÈÍÑ¼Ô ¥¹¥Ñ¥¤¡¿¼¹¹Ô´±s. They will ñ¤Ë fetch the ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë and not check the checksum, which is the same behaviour as before the introduction of Link »ØÌæs. Their Êݸî comes from the fact that hopefully a downloader using a link-»ØÌæ-aware ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í will raise the alarm sooner than the tiny number of downloaders who ¸½¼Â¤Ë check ¶¡µë¤¹¤ëd checksums manually.

Link »ØÌæs could also be used on ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës ¡¼¤¹¤ë¤Ä¤â¤ê¤Ç¤¢¤ëd for ÄÄÎ󤹤롤ȯ´ø¤¹¤ë rather than download, but this is not considered a ºÇ½é¤Î¡¿¼çÍ×¤Ê use »öÎã¡¿´µ¼Ô.

¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís are encouraged not to ´ï¶ñ¡¿¼Â»Ü¤¹¤ë any hash algorithm other than SHA-256, until and unless SHA-256 is ÀßΩ¤¹¤ë to have ·ç´Ùs. Áý¿£ of algorithms raises the ½Å²Ù¡Ê¤òÉé¤ï¤»¤ë¡Ë on ´ï¶ñ¡¿¼Â»Ü¤¹¤ëing ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís. New algorithms should be agreed with other implementors, and must be ²òÊü¤¹¤ë¡¿¼«Í³¤Ê of Æõö encumbrance.

However, for º£¸ås-compatibility and later extensibility, the parsing algorithm is as follows. Take the contents of the "checksum" ¤»¤¤¤Ë¤¹¤ë, and ʬÎö¡Ê¤¹¤ë¡Ë on semicolon. For each resulting string (one, in the ¤¢¤ê¤Õ¤ì¤¿ »öÎã¡¿´µ¼Ô), ¡ÊÅÚÃϤʤɤΡ˺ÙŤ¤°ìÊÒ all whitespace and then look for a known hash »Ø̾¤¹¤ë (followed by ·ëIJ) as a prefix. ²áÄø the »Ä¤ê¤Î¿Í¡¤Êª of the text ¤Ë¤è¤ì¤Ð the ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í's knowledge of that algorithm. ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Ís should silently ignore hash prefixes (e.g. "sha1:") they do not recognise. This ·×²è¡¿±¢ËÅ µö¤¹s for ¿½Å¤Î algorithms to be ÌÀ¼¨¤¹¤ëd during any ̤Íè period of °Ü¹Ô.

Credits

Thanks to Microsoft for unwittingly giving me the idea for this by Ãߤ¨¤ë¡¿Å¹ing °ÂÁ´ updates in directories »Ø̾¤¹¤ëd using GUIDs.