Re: Use case - John and Jane from Aymeric Vitte on 2013-03-22 (public-webcrypto-comments@w3.org from March 2013)

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Fri, 22 Mar 2013 23:42:03 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <514CDE3B.1020903@gmail.com>

That's a different version of Jane's attack (from web console, then 
physical access) against John described in WebCrypto Use Cases.

More difficult and more unlikely, but maybe not if we go outside of 
John/Jane's simple context.

Then maybe it should be referenced somewhere.

Regards,

Le 22/03/2013 19:48, Ryan Sleevi a écrit :
> Physical access attacks MUST remain out of scope of this work.
>
>
> On Fri, Mar 22, 2013 at 11:12 AM, Aymeric Vitte 
> <vitteaymeric@gmail.com <mailto:vitteaymeric@gmail.com>> wrote:
>
>     Tricky, difficult or completely unlikely but maybe possible : Use
>     Case, John and Jane, Jane does not leave John but wants to spy
>     him, sometimes she uses his computer then knows how to access it,
>     while John is visiting the social site he leaves 5mn to see the
>     postman, she inserts from his web console an iframe in the page
>     (jane.com <http://jane.com>) and sends a postMessage with John's
>     keys to the iframe which "stores" (ie references the underlying
>     data) the keys in jane.com <http://jane.com>'s indexedDB. She
>     intercepts John's connexion and decrypt messages with John's
>     computer when he is out reinjecting messages using jane.com
>     <http://jane.com>.
>
>     Usually this will not work because outside origin iframes can not
>     access indexedDB, but indexedDB spec just says : User agents MAY
>     restrict access...
>
>     Regards,
>
>     -- 
>     jCore
>     Email : avitte@jcore.fr <mailto:avitte@jcore.fr>
>     iAnonym : http://www.ianonym.com
>     node-Tor : https://www.github.com/Ayms/node-Tor
>     GitHub : https://www.github.com/Ayms
>     Web : www.jcore.fr <http://www.jcore.fr>
>     Webble : www.webble.it <http://www.webble.it>
>     Extract Widget Mobile : www.extractwidget.com
>     <http://www.extractwidget.com>
>     BlimpMe! : www.blimpme.com <http://www.blimpme.com>
>
>
>

-- 
jCore
Email :  avitte@jcore.fr
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

Received on Friday, 22 March 2013 22:39:25 UTC