Hi all,
For my master's thesis, and as a way to showcase a solution to the long-standing problem of using web applications for cryptographic tasks in the browser, without having to rely on server trust, I've developed a system that integrates a few components:
- Sigsum is used to transparently build a list of authorized signers for each domain that wants to participate in the system. - Sigstore is used to sign executable web assets (JS, HTML, CSS, WASM) using OIDC identities, with the authorization for a specific domain verified against the Sigsum-powered list.
The demo shows the system securing some of the most common self-hostable web apps, such as Jitsi, Element, and CryptPad.
There is currently some shared interest from the Tor Project in bringing similar functionality into TBB.
For a higher-level description, see [1], and for the project repository, see [2]. I’ll share my thesis at a later date, which will include additional insights and threat modeling for the whole system.
Cheers Giulio
[1] - https://securedrop.org/news/introducing-webcat-web-based-code-assurance-and-... [2] - https://github.com/freedomofpress/webcat