12272 2011-03-09 17:40:41 +0000 Improve section on DNS spoofing attacks to address user attacks 2011-06-01 18:21:07 +0000 1 1 1 Unclassified WebAppsWG Web Storage (editor: Ian Hickson) unspecified All All RESOLVED FIXED P2 normal --- 1 watsonm ian art.barstow ayg ian mike public-webapps public-webapps-bugzilla oldest_to_newest 46577 0 watsonm 2011-03-09 17:40:41 +0000 Section 7.1 on DNS spoofing attacks states: "Pages using TLS can be sure that only pages using TLS that have certificates identifying them as being from the same domain can access their storage areas." We could add "This protects against DNS spoofing attacks which do not involve the user. However, if the user is involved in the attack this protection can be circumvented by the user installing root certificates for fake certification authorities and then creating site certificates to be used in conjunction with DNS spoofing. Therefore a web page author cannot be sure that the information stored in web storage has not been viewed or modified by or on behalf of the user." i.e. page authors should be aware that even with TLS information inside web storage can be viewed and modified by or on behalf of the user. 46585 1 ayg 2011-03-09 20:41:34 +0000 How is this different from the user just manually editing the storage areas on disk, or a malicious program installed on their computer doing that? The client is always untrusted. The only guarantees we can even try to provide are against network attacks, e.g., an attacker who gets the user to visit a malicious webpage. That should be safe as long as the client isn't compromised. 46588 2 watsonm 2011-03-09 20:54:47 +0000 (In reply to comment #1) > How is this different from the user just manually editing the storage areas on > disk, or a malicious program installed on their computer doing that? The > client is always untrusted. The only guarantees we can even try to provide are > against network attacks, e.g., an attacker who gets the user to visit a > malicious webpage. That should be safe as long as the client isn't > compromised. You're right, but the existing text suggested to me that using TLS provided some assurance *for the web page* that the information was safe from attack. In fact it provides this assurance only in respect of certain kinds of attack. Perhaps that is implicit and doesn't need to be called out ? 46626 3 ayg 2011-03-11 02:15:50 +0000 Yes, maybe it would be worth explicitly calling out (if it hasn't been already) that anyone with access to the user's computer has full access to website storage. Some people seem to get confused about that and think that some type of magical encryption should be used that only lets the site itself access it, somehow. 49024 4 ian 2011-06-01 17:42:19 +0000 I've tweaked the text. 49025 5 contributor 2011-06-01 17:43:43 +0000 Checked in as WHATWG revision r6169. Check-in comment: Don't overpromise in security sections... http://html5.org/tools/web-apps-tracker?from=6168&to=6169