Identity Security

From WebID Wiki

The purpose of this page is to identify if and what are the security threats which affect WebID (at the conceptual level). Bear in mind that this page should not be mistaken for Authentication Security, which covers the security aspects of WebID-TLS. Please feel free to contribute with additional issues you consider pertinent. For serious proposals on this issue to the mailing list please mention ISSUE-73

* TODO: decide if we should also propose a set of best practice suggestions.

Hosting a profile document

  • if the server hosting a profile document does not run over HTTPS, there is a risk of having Man in the Middle attacks, where the attacker can serve a different profile document than the original one.
  • Is trust a part of security or does it require it's own section?
  • TODO: Q: are RDF client libraries performing requests over HTTPS? How do they manage servers with self-signed SSL certificates?

Denial of Service

  • DoS attacks are very easy to put in place. A possible solution is to use rate limiting on the server, together with static caching (serve static profiles even if the server uses SPARQL queries to build the profile graph).