- From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
- Date: Tue, 23 Apr 2013 00:05:06 +0200
- To: Dominique Hazael-Massieux <dom@w3.org>, Wayne Carr <wayne.carr@linux.intel.com>
- CC: "public-closingthegap@w3.org" <public-closingthegap@w3.org>
Ho Dom and all,
I a afraid I am going to disappoint you...
The Web Crypto WG is providing developers with an API to perform accurate crypto operations such as key generation, ciphering and verifying signatures in its web application, with all kind of algorithm flavors. But it does not guarantee that it will be made safely and unbreakable : it will be up to the browser to implement security measure. The API does not mandate any specific technology or specific storage to store the generated keys or result of crypto operation. Up to the browser to use proprietary secret mechanism, obfuscation, storage on embedded hardware token, cipher storage or clear storage ... I am confident that most of them will try to make it well, but W3C Web Crypto API does not mandate anything there...
On the idea of a high level trying to provide developers with simple crypto, this is something the WG is working on, without finding so much contributors (Wayne if you want to join, that would be great :)
About the gap between native and web : native model allows to have bundled apps, with signature and certificate, security audit or certification (of the apps), reliability of the execution environment ('kind of' integrity of OS and APIs, this is improving everyday). I do believe that in terms of security the web app model must be improved to make similar things and should at least provide options to make it better. My bet on that one is that as long as the W3C will only be dealing with pure software on that area, abstracting the security requirement and staying independent from the OS security capabilities (access to TPM, TEE, Secure Element, dedicated secure storage) this will not be improved.
Regards,
Virginie
-----Original Message-----
From: Dominique Hazael-Massieux [mailto:dom@w3.org]
Sent: mercredi 17 avril 2013 10:48
To: Wayne Carr; GALINDO Virginie
Cc: public-closingthegap@w3.org
Subject: Re: Web Apps & Security
Le lundi 15 avril 2013 à 08:05 -0700, Wayne Carr a écrit :
> > * it's impossible to store local data safely (e.g. with encryption
> > and key management) — I assume this is something the Web Crypto API
> > is addressing, but I'm not sure if it addresses all of it, or just
> > some piece of an otherwise incomplete puzzle
>
> I think Web Crypto would enable an app to do it itself, but that
> doesn't mean a simpler high level API to do it more simply (for the
> developer) isn't useful.
At least if the primitives are available, I'm less worried about providing the right high level API; it's more important that it is possible than for it to be easy (although obviously having both is the ultimate goal).
Virginie, can you confirm that Web Crypto mixed with local storage technologies allow to store data locally safely?
> > * the code of your app is available to anyone, making it easier to
> > tamper with it or to copy it; users themselves can exploit
> > vulnerabilities e.g. via developer tools; content exposed through
> > Web apps can't be DRM'd
>
> things people mention are game developers not wanting to expose
> private details of their games, or worrying about cheating at games.
> I don't know if it would be enough to have something like web workers
> that ran in a secure environment (can't see or tamper with the code).
Could you share a bit more about your ideas of this secured Web worker?
what would it protect from and how?
Virginie, if there is anything you can share about this piece as well (and all of this thread, really :), this would be very useful :)
Dom
Received on Monday, 22 April 2013 22:05:40 UTC