- From: Jeremy Orlow <jorlow@chromium.org>
- Date: Thu, 8 Apr 2010 00:54:20 +0100
On Thu, Apr 8, 2010 at 12:48 AM, Jonas Sicking <jonas at sicking.cc> wrote: > On Wed, Apr 7, 2010 at 4:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote: > >> > In regards to data expiration, part of ensuring the security of data > is > >> > knowing how long it will be stored on disk. If I let someone borrow my > >> > computer to check their email, and the email client happens to save > some > >> > data onto the client, then that person?s data will now be on my disk > for > >> > who > >> > knows how long. That represents a data security issue. By allowing an > >> > expiration date to be tied to the data, you can have reasonable > >> > assurance > >> > that the data isn?t just going to be sitting around waiting for > someone > >> > to > >> > try and use it. > >> > > >> > >> It is true that not having control over your data could be an issue, but > >> simply > >> embedding expiry into the data may not buy you much to protect it. > Insofar > >> as the crypto wouldn't be running in a TPM, it would be easy to reverse > >> engineer > >> it and extract the data; it would also be fairly easy to reset the > >> clock on the device > >> to keep data from being deleted. > > > > One thing that might be interesting is a way to cache large amounts of > data > > that are deleted when the browser and/or tab closes. This might be > > something for the new file system API to consider (hence adding ericu to > the > > thread). But time based controls aren't going to do anything more than > give > > perceived security. (In your use case, expiration doesn't add much > actual > > security for the reasons Dirk mentioned.) > > I disagree. Having data time out is a good "additional layer" of > security. For example if your laptop gets stolen, then it's much > better if the thief only gets access to the sites you've used the last > 24h, than any site you've ever used. > > This is why people do things like enforce password changes every X > weeks. Yes, password changing has social downsides, like people > writing down passwords on post-its etc. However those problems do not > seem to apply here. > > So I don't think anyone is arguing that expiration is good security in > and of itself. But it is a good (and low cost) way of getting > additional security. > Sure, but it should not be thought of as anything more than a hint. If I go to a site that says expire the data in 24 hours and then I turn it off and don't use it for a year, that data is still there. Anything that has the outward appearance of adding more security than it actually does worries me. (I'm obviously worried a lot. :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100408/82fd3b82/attachment.htm>
Received on Wednesday, 7 April 2010 16:54:20 UTC