- From: Aymeric Vitte <vitteaymeric@gmail.com>
- Date: Fri, 22 Mar 2013 19:12:31 +0100
- To: public-webcrypto-comments@w3.org
Tricky, difficult or completely unlikely but maybe possible : Use Case, John and Jane, Jane does not leave John but wants to spy him, sometimes she uses his computer then knows how to access it, while John is visiting the social site he leaves 5mn to see the postman, she inserts from his web console an iframe in the page (jane.com) and sends a postMessage with John's keys to the iframe which "stores" (ie references the underlying data) the keys in jane.com's indexedDB. She intercepts John's connexion and decrypt messages with John's computer when he is out reinjecting messages using jane.com. Usually this will not work because outside origin iframes can not access indexedDB, but indexedDB spec just says : User agents MAY restrict access... Regards, -- jCore Email : avitte@jcore.fr iAnonym : http://www.ianonym.com node-Tor : https://www.github.com/Ayms/node-Tor GitHub : https://www.github.com/Ayms Web : www.jcore.fr Webble : www.webble.it Extract Widget Mobile : www.extractwidget.com BlimpMe! : www.blimpme.com
Received on Friday, 22 March 2013 18:09:54 UTC