One problem is the slow implementation of SRI, thus sritest.io was born. The new service enables website owners and frontend developers to evaluate their sites for SRI hash usage. Sritest.io aims to help the widespread implementation of SRI, thus, ultimately protect website visitors from malicious code.
Update (5 Jun 2020): The sritest.io service is discontinued.
Hosting Website Assets with Third-Parties
Both free and non-free CDNs offer two benefits for website owners. Firstly, they serve the assets from geographically close data centers. It provides better visitor experience as pages will load quicker. Secondly, CDNs offer an uptime close to 100%.
The Problem with Trusting Third-Parties
Subresource Integrity for the Rescue
One solution to the problem is Word Wide Web Consortium’s (W3C) new standard named Subresource Integrity (SRI). The intention of this standard is to protect third-party hosted website assets from tampering.
<script src=https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js integrity="sha256-ImQvICV38LovIsvla2zykaCTdEh1Z801Y+DSop91wMU=" crossorigin=anonymous></script>
What is the Issue with SRI then?
Although SRI is great, the main problem is the lack of widespread implementation. As of January 2016, only two sites out of the first ten from Alexa Top 500 implement SRI on their home page.
The other issue is the relatively immature tooling around SRI. The easiest way to generate SRI hashes for remote assets is to execute OpenSSL from the terminal, or use services such as srihash.org or the one at Report URI.
On the plus side, developers can also generate SRI hashes automatically. Plugins for popular build tools, like Grunt or Gulp, has started to appear lately for generating the hashes. WordPress features a plugin to bolt-on the hashes. Sadly, the popularity (download count) of these tools is still quite low compared to other popular, but unrelated plugins.
Scanning Sites for SRI Usage
To help the broad implementation of SRI, I have launched sritest.io. This service helps website owners and frontend developers alike to assess websites for Subresource Integrity usage.
The service is similar to Qualys’s SSL Server Test, where anyone can submit URLs to be scanned for SSL implementation. Another example is securityheaders.io. This one can assess any website for security-related HTTP headers, such as Content-Security-Policy or HTTP Strict Transport Security (HSTS).
The report also provides a detailed list of unprotected website assets.
Expected Benefits of sritest.io
The new service will hopefully boost the implementation of SRI. Sritest.io aims to help key people to implement the protection.
Sritest.io helps website owners to assess easily their sites without digging into the source code. Software developers can also submit production, staging or developer URLs to check the presence of SRI on their pages under development. Finally, penetration testers may also include the level of SRI implementation in their reports.
The reports can be passed around as necessary between these key people, as each SRI report is available on a unique URL.
A new service named sritest.io was born to foster the implementation of SRI. It allows website owners, frontend developers, and penetration testers can quickly evaluate any web page for SRI usage. The service is easy to use, and there is no need to read the HTML code.