Consider implementing means of detecting content deployed by an adversary
Currently Samizdat is unable to notice if, for whatever reason, content returned by any transport plugin (
fetch, or any other that does not inherently provide end-to-end verification of content) is has been maliciously modified.
- Website is deployed with Samizdat in the current default configuration (
- An adversary takes over the original domain, and deploys a new SSL certificate
- The adversary then deploys their own versions of some content (
index.html, for example)
- When a user visits the site,
fetchsucceeds and the adversary-controlled
index.htmlis displayed; alternative transports are not ever used for that file.
- Website is deployed with Samizdat configured to pull content from Google Drive as an alternative endpoint, in case original website is unavailable.
- An adversary gains access to the Google Drive folder by whatever means and modifies content.
- Then, the adversary blocks the original domain.
- Content modified by the adversary is now served to users.
This could be mitigated to some extent with some for of content signing, at least for HTML/CSS/JS, but at a cost of added complexity. Perhaps it could be implemented as an optional plugin, which would wrap any other plugin, and verify the content signature against a known public key of some sort. If the signature does not match (or is absent), throw an error.
The signature could be added as a comment in the last line of text-based files, for example. Headers won't work, since in case of most plugins there is no way to control the headers.