• SharedUserSystem

Shared User System such as a Kiosk

Browsers often run on systems used by several distinct users, such as in a home shared among family, in an office shared among employees, or on a Kiosk, Library PC, Print Shop or Hotel Lobby shared among strangers. Depending on the relationships involved, this my create security and/or privacy risks.

One obvious concern is that a user not be able to modify the environment in some way as to deliberately compromise the security or privacy of users which use the browser subsequently. However, this is essentially the TCB compromise problem, which is out of scope for this WG.

There remains the concern that information may inadvertently leak from one user to a subsequent user. This obviously applies to secrets, like passwords, but also might include privacy sensitive information, such as sites visited. Generally the administrator of the shared system utilizes mechanisms available in the underlying OS to reset some information to standard values and clear other information. However, it may not always be that easy to identify which information falls in which category.

It seems to me that all browser configuration information falls into one of four categories in the context of a particular deployment.

1. Information which may be changed by the user and is discarded when they leave. (history, bookmarks) 2. Information which may be changed by the user, but will be reset to particular values when they leave. (enable Javascript) 3. Information which may be changed by the user and will persist. (not sure this is a real case or just a logical possibility) 4. Information which the user may not change. (proxy configuration)

It is my impression that browsers currently do not make it particularly easy to:

a. discover what configuration information the browser keeps. b. discover where it is stored. c. treat different items differently as above 1-4.

Originally I thought that everything could be classified a prior as 1, 2, 3 or 4, but I now believe that for some items it my be specific to the deployment. For example, choosing which SSL/TLS versions or crypto suites to use or whether to use a proxy or not, might be #2 on some shared systems and #4 on others.