W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2020

Re: [webauthn] largeBlob storage extension can be used to bypass 3p storage restrictions (#1518)

From: Pranjal Jumde via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 Nov 2020 19:04:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-730575618-1605812651-sysbot+gh@w3.org>
Thanks @nicksteele @kenrb @emlun for the feedback. From a DM conversation with @ve7jtb - 

> me: If the blob can be accessed without user-authentication. the site-authors can use it as an alternative to 3p storage. Let's say `foo.com` is embedded as an iframe in `bar.com` and `baz.com` . If 3p storage is blocked by the user `foo.com` , the embedded frame has no way to identify the user. But, if largeBlob is accessible `foo.com` can identify that user visited `bar.com` and `baz.com` .

>jbradley: it is only available to the RP via the largeblob extension if the user authenticates.  each large blob member is encrypted by the platform with a key that is part of a credential.  largeblob is never directly accessible to a RP.    It is accessable to the platform but that can't decrypt anything without a authentication, and that requires UP and possibly UV depenfing on the credprotect lavel.


-- 
GitHub Notification of comment by jumde
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1518#issuecomment-730575618 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 19 November 2020 19:04:14 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 19 November 2020 19:04:16 UTC