[whatwg] Persistent storage is critically flawed.

Shannon Baker shannon at arc.net.au
Tue Aug 29 01:52:32 PDT 2006

Ian Hickson said (among other things):
> It seems that what you are suggesting is that foo.example.com cannot trust 
> example.com, because example.com could then steal data from 
> foo.example.com. But there's a much simpler attack scenario for 
> example.com: it can just take over foo.example.com directly. For example, 
> it could insert new HTML code containing <script> tags (which is exactly 
> what geocities.com does today, for example!), or it could change the DNS 
> entries (which is what, e.g., dyndns.org could do).
> There is an implicit trust relationship here already. There is no point 
> making the storage APIs more secure than the DNS and Web servers they rely 
> on. That would be like putting a $500 padlock on a paper screen.

I interpret this comment as: "since there is already a hole in the hull 
of our boat, it doesn't matter if we drill some more". The proposal and 
your justification make too many assumptions about the [site owner / 
server owner / DNS provider] relationships and/or security that are 
unverifiable. If I run a server at books.jump.to then I accept that they 
COULD redirect my domain or even insert code but I also expect that I 
could DETECT IT and possibly sue for breach of contract. That's the key 
flaw in your argument - all of the exploits above are easy to detect - 
but no hacking or tampering is required for an untrusted party to access 
shared global storage. All that's required is a single page anywhere on 
jump.to at any time to perform a simple walk over the storage array - 
something which could easily be disguised as a legitimate action. That 
is the crux of my concern - not that the proposal allows new forms of 
abuse - but that it makes existing abuses easier to implement and harder 
to detect and remove.

I'm not going to respond to all your points individually since most 
amount to 'Sure there are problems but UAs will fix them for us' or 
'we'll fix it later'. I can only take your word for that. Besides most 
of the proposals' flaws can be resolved with something like the following:

Remove ALL trust assumptions based on the domain name and use 
public/private certificates to sign data in and out of storage. This 
would also allow IP based hosts to use storage. Remember, our objectives 
for persistent storage are simply:

To store an object on a client and retrieve it later, even if the 
'session' has since been closed.
Allow trusted site(s) access to a previously stored client-side data 
object (such as a user document)

It's quite a simple requirement that is only complicated by the 
standards' lame definition of what a 'trusted' site is. I absolutely 
insist that trust can never be inferred from DNS or IP information. In 
fact even the site authors own domain is somewhat suspect since it can 
change ownership if not renewed (it happened to me when a registrar 
screwed me over). Therefore we need a system of credentials based on the 
site owner. Fortunately this is similar to the problem that SSL site 
certificates solve. Since we already have a way of obtaining and 
verifying certificates it should not be a big stretch to extend this to 
private storage. It wouldn't even need to be as complex as an SSL cert 
since we are only trying to establish that the site trying to access the 
key possesses the same private or group certificate as the site setting 
it. Provided each site can have multiple certs then all the requirements 
of the spec can be met without bleeding out data to abitrary 
third-parties and dodgy ISPs. Sure your hosting service _could_ steal 
your private keys but that is unlikely to go undetected for long and 
would qualify as a crime in most countries (forgery,theft,fraud - take 
your pick).

Anyway that's just a basic outline but it is FUNDAMENTALLY better than 
the one the draft proposes. It requires nothing from the UA except the 
ability to perform certificate validation and nothing from the site 
author other than a way to generate and protect private certificates and 
send signed data. I could go into more detail and even draft a sample 
implementation should anyone be serious about persuing this idea.

On the other hand if Jim is right and the authors of the storage 
proposal are really just pushing for a better user-tracking system under 
the guise of a user feature then this argument is already over. Do 
whatever you like and I'll make sure it's turned off in my browser.

Web Developer

More information about the whatwg mailing list