Re: Use case - John and Jane from Ryan Sleevi on 2013-03-22 (public-webcrypto-comments@w3.org from March 2013)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 22 Mar 2013 15:45:26 -0700
To: Aymeric Vitte <vitteaymeric@gmail.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvacHS6ZLgsCTT22w7r1ZjsNP=4Dr+CdG8ZBO5g_HSq9JQ@mail.gmail.com>

I'm not sure what you mean - Jane's "use of web console" is a physical
access attack.


On Fri, Mar 22, 2013 at 3:42 PM, Aymeric Vitte <vitteaymeric@gmail.com>wrote:

>  That's a different version of Jane's attack (from web console, then
> physical access) against John described in WebCrypto Use Cases.
>
> More difficult and more unlikely, but maybe not if we go outside of
> John/Jane's simple context.
>
> Then maybe it should be referenced somewhere.
>
> Regards,
>
> Le 22/03/2013 19:48, Ryan Sleevi a écrit :
>
> Physical access attacks MUST remain out of scope of this work.
>
>
> On Fri, Mar 22, 2013 at 11:12 AM, Aymeric Vitte <vitteaymeric@gmail.com>wrote:
>
>> Tricky, difficult or completely unlikely but maybe possible : Use Case,
>> John and Jane, Jane does not leave John but wants to spy him, sometimes she
>> uses his computer then knows how to access it, while John is visiting the
>> social site he leaves 5mn to see the postman, she inserts from his web
>> console an iframe in the page (jane.com) and sends a postMessage with
>> John's keys to the iframe which "stores" (ie references the underlying
>> data) the keys in jane.com's indexedDB. She intercepts John's connexion
>> and decrypt messages with John's computer when he is out reinjecting
>> messages using jane.com.
>>
>> Usually this will not work because outside origin iframes can not access
>> indexedDB, but indexedDB spec just says : User agents MAY restrict access...
>>
>> Regards,
>>
>> --
>> jCore
>> Email :  avitte@jcore.fr
>> iAnonym : http://www.ianonym.com
>> node-Tor : https://www.github.com/Ayms/node-Tor
>> GitHub : https://www.github.com/Ayms
>> Web :    www.jcore.fr
>> Webble : www.webble.it
>> Extract Widget Mobile : www.extractwidget.com
>> BlimpMe! : www.blimpme.com
>>
>>
>>
>
> --
> jCore
> Email :  avitte@jcore.fr
> iAnonym : http://www.ianonym.com
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>

Received on Friday, 22 March 2013 22:45:53 UTC