1

I would like to use a CDN for the static content of a website. But obviously I do not wish to share my SSL key with any external service. What are my options?

An ideal solution would be to link to unencrypted static content but enforce (!) that browsers authenticate this content, for example by checking that it matches a hash. I imagine including this hash with every static link. But can it be done? I do not want to trigger a mixed-content warning, and I also do not want to open a security hole by either not authenticating static content or by giving the CDN the ability to sign anything with my key.

Can this be done? If not with current browsers, what needs to be done to make it possible?

  • 1
    Unfortunately browsers don't support hash verification on linked resources. – CodesInChaos Nov 11 '13 at 20:01
  • I suppose not, but it seems like a really desirable feature. I mean, isn't that something that they should support, if not now, then certainly in the near future? Can we emulate it somehow (e.g. in javascript)? I'm just concerned that, with anything added in javascript, would execute a bit late, after the external content was already loaded. –  Nov 13 '13 at 14:46
  • I think I found [a question](http://security.stackexchange.com/questions/29696/content-hashes-to-help-protect-resources-being-fetched-from-a-cdn/57150) I seem to have duplicated, and added [my own answer](http://security.stackexchange.com/questions/29696/content-hashes-to-help-protect-resources-being-fetched-from-a-cdn/57150#57150) there rather than here. –  May 02 '14 at 16:22

1 Answers1

1

Since you have no control over how the browser checks for mixed content you have to have all content load over SSL, otherwise you will get mixed content warnings.

You don't have to give up your private keys to a CDN if they already provide an HTTPS endpoint. The only difference is that you don't get your own custom domain. That, I think, is a pretty reasonable trade off.

Steve
  • 15,215
  • 3
  • 38
  • 66
  • Now I wonder just what had made me think it would have to be under the same domain if it used HTTPS! Thanks for spelling it out for me. –  Nov 11 '13 at 20:22