Re: Client side storage: Flash storage used to preserve/recreate deleted cookies from ashok malhotra on 2010-08-30 (www-tag@w3.org from August 2010)

From: ashok malhotra <ashok.malhotra@Oracle.com>
Date: Mon, 30 Aug 2010 16:33:30 -0700
To: Noah Mendelsohn <nrm@arcanedomain.com>
CC: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4C7C3FCA.1050808@oracle.com>

  Noah:
We discussed some of this when we discussed the WebStorage draft http://www.w3.org/TR/webstorage/
This contains warnings and security risks in sections 6 and 7.  Take a look.  We may want them to say more
All the best, Ashok

On 8/30/2010 12:34 PM, Noah Mendelsohn wrote:
> I'm curious: in considering these API's, what's the conceptual line between "cookies", which are to a significant degree intended for tracking, and other client-side storage that might be used for, say, my email?
>
> Let's say a vendor A creates a storage system, with the intention that it be used primarily to store things like email.  "Malicious" Web site M writes code that copies my HTTP cookies into the A-store.  Now, when I use the API to delete "cookies", does that copy go away?  Does my email go away?  How in practice do we create user interfaces and APIs that moderately naive users will succeed at using to delete tracking information, while not unintentionally losing all their email?
>
> Noah
>
> Julian Reschke wrote:
>> On 30.08.2010 17:11, David Booth wrote:
>>> On Sun, 2010-08-29 at 16:35 -0400, Noah Mendelsohn wrote:
>>>> This article [1] suggests that at least some organizations are using Flash
>>>> client side storage to preserve and recreate browser cookies.  Not quite
>>>> sure what this is pertinent to TAG work on client-side storage, but it's at
>>>> least worth noting.
>>>>
>>>> Noah
>>>>
>>>> [1]
>>>> http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss
>>>
>>> Wow, that's a *major* privacy violation and security hole.  I'm
>>> surprised Adobe has not yet been sued about it, but perhaps the
>>> attorneys are going after the lower hanging fruit.
>>>
>>> And BTW, the whole idea of users having to use Adobe's web site to set
>>> the security controls on their own personal computer is completely
>>> absurd.  That aspect in and of itself is totally broken and would seem
>>> to me to be grounds for a lawsuit regardless of the other issues.
>>
>> I think people rightfully expect that they can use their browser's privacy settings to clear collected data, be it in cookies, in HTML5 local storage, in Silverlight Local Storage, or in Flash Client Side Storage.
>>
>> To make this happen, an API is needed so that UAs can manage the date.
>>
>> A proposal for that API has been made several months ago, see <https://wiki.mozilla.org/Plugins:ClearPrivacyData>, but unfortunately *both* UA implementers and plugin implementers are very very very slow in making this happen.
>>
>> Just saying.
>>
>> Best regards, Julian
>>
>

Received on Monday, 30 August 2010 23:36:55 UTC