Re: Was: Draft Blog Post on Cryptography API, Now: Potential API recommendation caveats from David Dahl on 2012-10-09 (public-webcrypto@w3.org from October 2012)

From: David Dahl <ddahl@mozilla.com>
Date: Tue, 9 Oct 2012 14:13:18 -0700 (PDT)
To: Ryan Sleevi <sleevi@google.com>
Cc: David Rogers <david.rogers@copperhorses.com>, public-webcrypto@w3.org, hhalpin@w3.org
Message-ID: <325707501.2755729.1349817198306.JavaMail.root@mozilla.com>

----- Original Message -----
> From: "Ryan Sleevi" <sleevi@google.com>
> To: "David Dahl" <ddahl@mozilla.com>
> Cc: "David Rogers" <david.rogers@copperhorses.com>, public-webcrypto@w3.org, hhalpin@w3.org
> Sent: Tuesday, October 9, 2012 3:41:22 PM
> Subject: Re: Was: Draft Blog Post on Cryptography API, Now: Potential API  recommendation caveats

> It sounds like your solution offers nothing more than a signature on
> the (initial) code, which is the same as offered by a number of
> existing extension mechanisms (eg: Both Firefox and Chromium)
> 
> Again, you make reference to a more "trustworthy" environment, but
> it's unclear what your concerns are that you feel are mitigated here.
> An extension/Open Web App/SysApp that say, calls eval on the result
> of
> an XHR over HTTP, is just as likely to get owned as a web page.

I think this would be much less likely, but is of course still possible.  

> 
> While I appreciate the security concern, I feel like there's some
> handwaving here that it's better, and I'm trying to understand the
> concrete concerns here. Is it just that the (initial) code is signed
> (since it can always change later)? 

If the code changes, it was again signed and is again verified upon re-install

> That the user explicitly installed
> the extension (which seems wholly unrelated to malleability or any of
> the other security concerns raised)
> 
True.

> What I'm trying to tease out here is what security properties are
> *unique* to what you're proposing that are not already available to
> the web platform, AND why you feel those security properties are
> essential to the API.
> 
> To put it differently, if the API required CSP and an HTTPS origin,
> what concerns do you have that fundamentally non-applicable to your
> Extension/"Open Web App" scenario?

I think a locally installed, verified application fetched from an "honest broker" like Mozilla's or Google's AppStores is far and away a better security risk than a web page - even with HTTPS and CSP.


Cheers,

David

Received on Tuesday, 9 October 2012 21:13:45 UTC