- From: Ryan Sleevi <sleevi@google.com>
- Date: Fri, 22 Mar 2013 11:48:49 -0700
- To: Aymeric Vitte <vitteaymeric@gmail.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Received on Friday, 22 March 2013 18:49:16 UTC
Physical access attacks MUST remain out of scope of this work. On Fri, Mar 22, 2013 at 11:12 AM, Aymeric Vitte <vitteaymeric@gmail.com>wrote: > Tricky, difficult or completely unlikely but maybe possible : Use Case, > John and Jane, Jane does not leave John but wants to spy him, sometimes she > uses his computer then knows how to access it, while John is visiting the > social site he leaves 5mn to see the postman, she inserts from his web > console an iframe in the page (jane.com) and sends a postMessage with > John's keys to the iframe which "stores" (ie references the underlying > data) the keys in jane.com's indexedDB. She intercepts John's connexion > and decrypt messages with John's computer when he is out reinjecting > messages using jane.com. > > Usually this will not work because outside origin iframes can not access > indexedDB, but indexedDB spec just says : User agents MAY restrict access... > > Regards, > > -- > jCore > Email : avitte@jcore.fr > iAnonym : http://www.ianonym.com > node-Tor : https://www.github.com/Ayms/**node-Tor<https://www.github.com/Ayms/node-Tor> > GitHub : https://www.github.com/Ayms > Web : www.jcore.fr > Webble : www.webble.it > Extract Widget Mobile : www.extractwidget.com > BlimpMe! : www.blimpme.com > > >
Received on Friday, 22 March 2013 18:49:16 UTC