holyjs HolyJS 2018 Msc (24.11.2018)

Paranoid Service Worker

img

This is a talk about a lot of new browser APIs and their combinations that allow us not to trust servers, 3rd party, network connection and even browser itself. Because we can and because being paranoid is good.

Our story starts not so long ago.

It was the year 2018. Everything was getting hacked: Facebook accounts, Google doors, and plug-ins in browsers; Chinese phones were sold with built-in free connection to botnets; you could still read the contents of the RAM via HTTPS, location of secret bases via fitness websites (strava), and memory in other processes (meltdown and spectre) via the division, even from the "protected zone" in the processor’s memory (foreshadow). The Internet was filled with rumors (which turned out to be true) that in the processor there is one more computer, on which you can run DOOM (allegedly). And a cherry on top was that it was technically possible to disable the server by sending units and zeros across the network so that the electrons began to jump out of RAM (nethammer/throwhammer).

And the question hung in the air, "Is it even possible to store at least some data in browsers without fear of them being stolen?".

Little by little the understanding came that it seemed possible. But you cannot trust anyone, neither yourself nor others. The client must check the server and the server must check the client so that nothing happens for no reason, and the sandbox must hold inside another sandbox across itself. Little by little it turned into real paranoia, but it ended with a number of unique finds, which this talk will cover.