I want a script that is running on the client to compute a collision resistant h

Question

I want a script that is running on the client to compute a collision resistant hash and send it to a server. I need to ensure that the script which performs this hash is not altered in any malicious way. Is there any protocol that exists which can ensure that the client script that calculates the hash has not been altered.

I have an idea whereby the script sends back an HMAC signature of itself, but on second thoughts, this would not stop an attacker from fooling the server if the code is altered.

Explanation / Answer

In short any proposed solution to this problem would be a violation of CWE-602: Client Side Enforcement of Server Side Security.

Even if what you are suggesting where possible in some bizzaro universe it would be insecure. A client (or an attacker) doesn't just execute scripts, they are able to view and modify everything in memory, as well as intercept, modify and create any request transmitted over the network. Thus checking the integrity of the script doesn't even close to solving the root of the problem. In short this proposal is a fundamental violation of modern security and there never will be a solution to this problem. (And no one should need to do this)

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.