Re: ISSUE-11: Gathering requirements [FileSystem API]

> Thanks for all comments. Nice to have a lively discussion :-)
>
> With my proposal I assume:
>
> * It is possible to securely verify the identity of the web application (typically a signed widget).

Yes, but that does not make the widget safe.

The problem is that a widget can import any JavaScript from the Web
and execute it. Obviously, this downloaded script may contain insecure
items, even when the widget itself doesn't.

So a malicious author creates a widget that imports a perfectly
innocent remote script, sends it in for review and signing, and as
soon as the widget has passed the tests and is actually downloadable
he changes the remote script to steal somebody's address book or
whatever.

This is why widget security is such a terribly complicated subject,
and why signing is not the solution to our security problems.

> * The mobile platform is capable of preventing any other applications than the application the secret information is aimed for from accessing the information.

As I said earlier, any HTML/XML/JavaScript solution we can devise can
easily be copied to another widget. Signing would be a different
matter, but even signing does not make a widget safe.

> This of course places restrictions on the usage of this API and places requirements on the devices implementing the API.

I feel that the user should be asked for permission to access address
books and such, and that this permission-asking is a browser or OS
functionality that cannot be influenced by JavaScript.

> I would like to take your comments to an internal discussion with our security experts and come back with more meat to the discussion later.

Please do!

Thanks,

Received on Wednesday, 7 October 2009 13:14:55 UTC