Before downloading a software release, we all know to verify the GPG signature before even trying to unpack that tarball. And when such a signature is not available, we all know to chastise the developer for not taking security seriously. But what happens with deployed web resources? How can these be verified before we trust them with our secure data?
I would like to show a proof-of-concept of using out-of-band verification (aka, DNS) of web content (.js, .html, .jpeg, etc) prior to allowing it to execute and trusting it with our data.
Before downloading a software release, we all know to verify the GPG signature before even trying to unpack that tarball. And when such a signature is not available, we all know to chastise the developer for not taking security seriously. But what happens with deployed web resources? How can these be verified before we trust them with our secure data?
I would like to show a proof-of-concept of using out-of-band verification (aka, DNS) of web content (.js, .html, .jpeg, etc) prior to allowing it to execute and trusting it with our data.