igor - Fotolia
Can an HTML5 document with a digital signature be authenticated?
A digital signature on an HTML5 document cannot be authenticated the same way a PDF can. Expert Michael Cobb explains how enterprises should address this issue.
I was reading your article on HTML5 security. In our company, we are working on a feature to deliver HTML5-based documents to customers, and we are facing an issue regarding the authenticity of the document. PDFs can be signed and, somehow, we are assured of the credibility of the entity that is sending the documents. Is there a way that this can also work for an HTML5 document?
Digital signatures cryptographically bind an electronic identity to an electronic document or message. Signing an electronic document with a digital signature provides the recipient with these assurances regarding the document:
- Authenticity: assurance that the signer is who he claims to be;
- Integrity: assurance that the content has not been changed or tampered with since it was digitally signed; and
- Nonrepudiation: proof of informed consent and approval by the signatory who cannot deny having sent the message.
Unlike ink signatures on a paper document, a digital signature cannot be copied from one document to another and the signature applies to the entire document; changing any element of the document after signing invalidates the signature. The U.S. Government Printing Office publishes electronic versions of the budget, public and private laws, and congressional bills with digital signatures, and these digitally signed documents are legally binding for most business and personal transactions around the world. There are plenty of tools and plug-ins for signing PDFs, Microsoft Office documents and digital messages such as email, and many applications allow users to easily verify a digital signature and the authenticity of the digital message or document. The problem you face with signing an HTML5 document is that there is a strong possibility that some of the content will be links to external resources, such as style sheets, JavaScript and images. If you digitally sign and send an HTML5 document, the recipient can validate the signature and check that you have sent it and that it's not been changed, but they cannot validate that the document's external elements have not been altered. A link may not have changed but the content that the link references may have and the integrity check would not produce a warning. For example, even the following simple HTML5 formatted message links to an external style sheet which the digital signature does not cover.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title> Meeting Confirmation </title>
<link rel="stylesheet" href=" https://www.yourcompanywebsite.com/css/style.css">
</head>
<body>
<p>Hi George, </p>
<p>I confirm our meeting tomorrow at <b>10 o'clock</b>.
</body>
</html>
A malicious insider or hacker with access to the style.css file could modify it to launch an attack. This is why Microsoft Office blocks external content such as images, linked media, hyperlinks and data connections in workbooks and presentations by default to prevent potentially malicious code running without the user's knowledge or consent. The only way to overcome this problem would be to embed the entire content of a HTML5 document into the message, but this would be very arduous in all but a few simple cases. The document above could be rewritten using either inline style attributes or by using the style element in the head section:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Meeting Confirmation</title>
<style>
body {
background-color: linen;
}
p {
color: black;
margin: 10px;
}
b {
color: black;
font-weight: 900;
}
</style>
</head>
<body>
<p>Hi George, </p>
<p>I confirm our meeting tomorrow at <b> 10 o'clock</b>.
</body>
</html>
However, embedding JavaScript and images would quickly increase the size of the document and would be impractical in complex documents. For example, you would not want to embed the entire jQuery JavaScript library in every document. For now, you can assure the credibility of the entity sending an HTML5 document but not necessarily the integrity of its contents in the same way as you can a PDF document.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)