Page Source Verifier Bookmarklet
cryptographic snapshot of page code

Parvez Anandam

Can one store sensitive information on an Internet host with complete confidence that the data is secure, while at the same time maintaining the anywhere anytime access the Internet prodives? The Host-Proof Hosting AJAX design pattern provides a mechanism to achieve this. The online password manager Passlet is one of the first implementation of Host-Proof Hosting.

Central to the Host-Proof Hosting idea is the ability for the end user to independently verify that the hosting service has not tampered with the AJAX code about to be run on the user's browser. This is to protect both against a malicious hosting service and against an external attack, were the host to be compromised.

It would be ideal if browsers performed this code verification for the user. Unfortunately, they do not today; perhaps they may in the future. A browser plug-in is the next logical tool to consider. However, a plug-in negates several of the key benefits of AJAX, namely access from any device, even those you cannot install software on. That is not to say that a code-verification plug-in is not useful; someone should write one.

Here I propose a more light-weight code verifier, in the form of a bookmarklet. A bookmarklet is a little piece of JavaScript that is bookmarked, whose key advantage is access to the current page's DOM (Document Object Model). This code verifier bookmarklet produces a cryptographically safe snapshot of the page by computing the SHA-1 hash of the entire code source. Besides the page itself, it fetches all the referenced JavaScript code and computes their hashes. It makes use of Paul Johnston's excellent SHA-1 JavaScript library, trimmed to fit into a bookmarklet

This bookmarklet has been tested on Internet Explorer and Firefox. It should only require trivial modifications, if at all, to work on other browsers. To use it, right click on the link below and bookmark it as a favorite; then on any page you wish to verify, just select it from your bookmarks. Beware, calculating SHA-1 hashes of large pieces of code can take a while, so please be patient.

Right click on this link and add to Favorites (Bookmarks): Page Source Verifier

Please send feedback to