[whatwg] Proposal for secure key-value data stores

On Thu, Apr 8, 2010 at 12:48 AM, Jonas Sicking <jonas at sicking.cc> wrote:

> On Wed, Apr 7, 2010 at 4:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
> >> > In regards to data expiration, part of ensuring the security of data
> is
> >> > knowing how long it will be stored on disk. If I let someone borrow my
> >> > computer to check their email, and the email client happens to save
> some
> >> > data onto the client, then that person?s data will now be on my disk
> for
> >> > who
> >> > knows how long. That represents a data security issue. By allowing an
> >> > expiration date to be tied to the data, you can have reasonable
> >> > assurance
> >> > that the data isn?t just going to be sitting around waiting for
> someone
> >> > to
> >> > try and use it.
> >> >
> >>
> >> It is true that not having control over your data could be an issue, but
> >> simply
> >> embedding expiry into the data may not buy you much to protect it.
> Insofar
> >> as the crypto wouldn't be running in a TPM, it would be easy to reverse
> >> engineer
> >> it and extract the data; it would also be fairly easy to reset the
> >> clock on the device
> >> to keep data from being deleted.
> >
> > One thing that might be interesting is a way to cache large amounts of
> data
> > that are deleted when the browser and/or tab closes.  This might be
> > something for the new file system API to consider (hence adding ericu to
> the
> > thread).  But time based controls aren't going to do anything more than
> give
> > perceived security.  (In your use case, expiration doesn't add much
> actual
> > security for the reasons Dirk mentioned.)
>
> I disagree. Having data time out is a good "additional layer" of
> security. For example if your laptop gets stolen, then it's much
> better if the thief only gets access to the sites you've used the last
> 24h, than any site you've ever used.
>
> This is why people do things like enforce password changes every X
> weeks. Yes, password changing has social downsides, like people
> writing down passwords on post-its etc. However those problems do not
> seem to apply here.
>
> So I don't think anyone is arguing that expiration is good security in
> and of itself. But it is a good (and low cost) way of getting
> additional security.
>

Sure, but it should not be thought of as anything more than a hint.  If I go
to a site that says expire the data in 24 hours and then I turn it off and
don't use it for a year, that data is still there.

Anything that has the outward appearance of adding more security than it
actually does worries me.  (I'm obviously worried a lot. :-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100408/82fd3b82/attachment.htm>

Received on Wednesday, 7 April 2010 16:54:20 UTC