from Hacker News

Ask HN: Prove a web site is using its open source repository

by jodoglevy on 2/11/14, 1:58 AM with 2 comments

Hi all. I'm working on an idea and it requires trust. So I have a public git repo where my source code goes, and my web site deployments pick up the source from there. However, I am worried people will just think "ok, this source looks safe, but how do I know your service is using this source and not a slightly modified malicious version?"

I know with client software they can use a checksum to check this, but is there some way to do this for a web site?

  • by grivkees on 2/11/14, 6:26 AM

    I think the only way you could do this is if a user trusted the PaaS underneath the software, and the PaaS offered a way for a user to verify the hash of whats running on their system.

    The only other way you could find a hash of the code running on the server is if you asked the service, but in that case the service could always just lie. Even if you did some sort of challenge response that could only be answered with having the public source code and hashing it with a nonce, you could just provide the public source to your malicious binary, and it would respond as it wished.

  • by aprescott on 2/11/14, 2:27 AM

    I think any setup which requires the website to respond to requests intended to verify its own authenticity will probably not work. Any verification requests could be passed upstream to a separate running application in order to calculate a valid response. This response would then be passed back to the client. All other requests and code paths would still potentially go through a modified or malicious variant.