- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 7 Apr 2010 17:09:44 -0700
On Wed, Apr 7, 2010 at 4:54 PM, Jeremy Orlow <jorlow at chromium.org> wrote: > On Thu, Apr 8, 2010 at 12:48 AM, Jonas Sicking <jonas at sicking.cc> wrote: >> >> On Wed, Apr 7, 2010 at 4:29 PM, Jeremy Orlow <jorlow at chromium.org> wrote: >> >> > In regards to data expiration, part of ensuring the security of data >> >> > is >> >> > knowing how long it will be stored on disk. If I let someone borrow >> >> > my >> >> > computer to check their email, and the email client happens to save >> >> > some >> >> > data onto the client, then that person?s data will now be on my disk >> >> > for >> >> > who >> >> > knows how long. That represents a data security issue. By allowing an >> >> > expiration date to be tied to the data, you can have reasonable >> >> > assurance >> >> > that the data isn?t just going to be sitting around waiting for >> >> > someone >> >> > to >> >> > try and use it. >> >> > >> >> >> >> It is true that not having control over your data could be an issue, >> >> but >> >> simply >> >> embedding expiry into the data may not buy you much to protect it. >> >> Insofar >> >> as the crypto wouldn't be running in a TPM, it would be easy to reverse >> >> engineer >> >> it and extract the data; it would also be fairly easy to reset the >> >> clock on the device >> >> to keep data from being deleted. >> > >> > One thing that might be interesting is a way to cache large amounts of >> > data >> > that are deleted when the browser and/or tab closes. ?This might be >> > something for the new file system API to consider (hence adding ericu to >> > the >> > thread). ?But time based controls aren't going to do anything more than >> > give >> > perceived security. ?(In your use case, expiration doesn't add much >> > actual >> > security for the reasons Dirk mentioned.) >> >> I disagree. Having data time out is a good "additional layer" of >> security. For example if your laptop gets stolen, then it's much >> better if the thief only gets access to the sites you've used the last >> 24h, than any site you've ever used. >> >> This is why people do things like enforce password changes every X >> weeks. Yes, password changing has social downsides, like people >> writing down passwords on post-its etc. However those problems do not >> seem to apply here. >> >> So I don't think anyone is arguing that expiration is good security in >> and of itself. But it is a good (and low cost) way of getting >> additional security. > > Sure, but it should not be thought of as anything more than a hint. ?If I go > to a site that says expire the data in 24 hours and then I turn it off and > don't use it for a year, that data is still there. This is true, and important. > Anything that has the outward appearance of adding more security than it > actually does worries me. ?(I'm obviously worried a lot. :-) I think it's pretty obvious though that expiring the data X seconds in the future doesn't in and of itself give any protection what so ever until the data has actually been expired. I guess it could be argued that it isn't obvious that the data is only expired if the browser is running. I don't think this is enough of a problem to kill the feature though. / Jonas
Received on Wednesday, 7 April 2010 17:09:44 UTC