[Cryptography] Encrypting web pages ?
Sam Hartman
hartmans at mit.edu
Sun Jun 6 11:10:51 EDT 2021
>>>>> "Henry" == Henry Baker <hbaker1 at pipeline.com> writes:
Henry> Since most web pages are hosted at server farms, it would
Henry> make sense to have them encrypted *at rest*.
Erm, what, huh?
Can you go into your threat model a little more here.
This makes sense in cases where confidentiality of the web page from the
"server farm" is a desirable property
and where the key management makes that reasonable to achieve.
I think exploring cases where this will be true and coming up with a few
user stories will help figure out whether this is worth spending
resources on and help narrow the design.
My initial reaction is highly skeptical.
Another poster already talked about dynamic content.
>From the static content, much of it is public--content that would be
served to anyone, where confidentiality at rest appears to have little
value.
As an example of how the user story might matter.
Consider the case where static resources are being stored in a CDN, but
where we trust the CDN or some initial service worker to be
authenticated and trust that code.
In such a case, we can effectively download the decryption logic to the
browser, and even accomplish things with no browser changes.
But in other user stories where for example you're not willing to get
and trust some initial javascript, your design space looks very
different.
And as I said for a lot of the public web this doesn't appear to make
any sense at all on first glance.
More information about the cryptography
mailing list