undefined | Better HN

0 pointsdomenicd5y ago0 comments

+1. The way I think about it is that signed exchanges are basically a way of getting the benefits of a CDN without turning over the keys to your entire kingdom to a third party. Instead you just allow distribution of a single resource (perhaps a bundle), in a crytographically verifiable way.

Stated another way, with a typical CDN setup the user has to trust their browser, the CDN, and the source. With signed exchanges we're back to the minimal requirement of trusting the browser and the source; the distributor isn't able to make modifications.

0 comments

skybrian5y ago

It seems like there is a risk that an old version of a bundle will get served instead of a new one by an arbitrary host? Maybe the bundle should have a list of trusted mirrors?

gregable5y ago

There is a publisher selected expiration date as part of the signed exchange which the client inspects. The expiration also cannot be set to more than 7 days in the future on creation. This minimizes, but of course does not eliminate, this risk.

xg155y ago

It also makes signed exchanges completely unusable for delivering packages offline. (E.g. the USB stick scenario)

What a bummer.

1 more reply

gpm5y ago

Alternatively super short expiry times. It doesn't seem like it would be that concerning to have another site serving a bundle that was 5 minutes out of date. It doesn't seem like it should be too much load to be caching content every 5 minutes.

1 more reply

jml7c55y ago

I could see some sort of alternative URL bar ("https://nyt.com/somearticle/ | served by https://somecdn.example.org/blah"), but complete replacement is far too dangerous and confusing in that it is completely hidden.

jefftk5y ago

The New York Times surely already serves their pages through a CDN, silently, and with the CDN having the full technical capability to modify the pages arbitrarily. Signed exchange allows anyone to serve pages, without the ability to modify them in any way.

(Disclosure: I work for Google, speaking only for myself)

jml7c55y ago

My objection is that it's no longer clear if you're dealing with content addressing or server addressing. If I see example.com in the URL bar, is it a server pointed from the DNS record example.com (a CDN that server tells me to visit), or am I seeing content from example.com? If I click a link and it doesn't load, is it because example.com is suddenly down, or has it been down this whole time? Is the example.com server slow, or is the cache slow? Am I seeing the most recent version of this content from example.com, or did the cache miss an update?

1 more reply

ignoramous5y ago

> a way of getting the benefits of a CDN without turning over the keys to your entire kingdom to a third party.

https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-tec... is a thing now.

icebraining5y ago

The session key, which is given carte blanche by the TLS cert to sign whatever it wants under the domain, is still controlled by Cloudflare.

To put it simply, Cloudflare still controls the content. The proposal here would avoid that, by allowing Cloudflare to transmit only pre-signed content.

Spivak5y ago

Your browser would have a secure tunnel to CloudFlare which is encrypted with their key. But then that tunnel would deliver a bundle of resources verified your browser differently that CF doesn’t have the key for.

j / k navigate · click thread line to collapse

0 comments

skybrian5y ago

It seems like there is a risk that an old version of a bundle will get served instead of a new one by an arbitrary host? Maybe the bundle should have a list of trusted mirrors?

gregable5y ago

xg155y ago

It also makes signed exchanges completely unusable for delivering packages offline. (E.g. the USB stick scenario)

What a bummer.

1 more reply

gpm5y ago

1 more reply

jml7c55y ago

jefftk5y ago

(Disclosure: I work for Google, speaking only for myself)

jml7c55y ago

1 more reply

ignoramous5y ago

> a way of getting the benefits of a CDN without turning over the keys to your entire kingdom to a third party.

https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-tec... is a thing now.

icebraining5y ago

The session key, which is given carte blanche by the TLS cert to sign whatever it wants under the domain, is still controlled by Cloudflare.

To put it simply, Cloudflare still controls the content. The proposal here would avoid that, by allowing Cloudflare to transmit only pre-signed content.

Spivak5y ago

j / k navigate · click thread line to collapse