Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

initial WebID Document considerations #9

Merged
merged 3 commits into from
Jun 19, 2024
Merged

initial WebID Document considerations #9

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4036162
initial WebID Document considerations
elf-pavlik Jun 4, 2024
0e78177
Apply suggestions from code review
elf-pavlik Jun 6, 2024
7f8188b
replace the initial countermeasure with an inline issue
elf-pavlik Jun 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions biblio.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,15 @@
],
"href": "https://solidos.solidcommunity.net/",
"title": "SolidOS"
},
"WebID": {
"authors": [
"Andrei Sambra",
"Henry Story",
"Tim Berners-Lee"
],
"href": "https://www.w3.org/2005/Incubator/webid/spec/identity/",
"title": "WebID 1.0",
"publisher": "WebID Incubator Group"
Comment on lines +37 to +38
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...except that the WebID XG never published this, with or without a version declaration. It would be better to title it as what it was, "WebID 1.0 Editor's Draft" (which must be read and understood as "Editor's Draft of WebID 1.0") ... and of course, the document now served from that location says "Draft Community Group Report 05 March 2014", which is similarly but differently inaccurate and contrary to the "publisher" identified here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case we can't quickly resolve it in this PR I created a dedicated issue for it #10

}
}
38 changes: 38 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,3 +118,41 @@ The attacker writes a malicious `text/html` file to the server. Depending on the
#### Considerations

Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using `Content-Security-Policy: sandbox` will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction.

## Protecting WebID Document ## {#protecting-webid-document}

Solid access policy enforcement relies heavily on the identities of agents. Requesting Parties are identified
by [[WebID]] and applications by ClientID [[Solid.OIDC]].
A User's WebID Document includes trust anchors, like designation of their [[Solid.OIDC]] Provider (also known as _issuer_).
In other approaches, public keys could be published or discoverable via the user's WebID Document.

### Fully impersonate the user

If a malicious app can write or append to the user's WebID Document,
it could inject trust anchors, allowing complete impersonation.

#### Exploit Prerequisites

* Solid's authorization system depends on a specific trust anchor in the user's WebID Document.
For example, [[Solid.OIDC]] issuer designation or pubic keys/keyset.
* User authorizes a malicious Solid application to write or append to their WebID Document.

#### Attack

* The attacker publishes an attractive malicious application, such as one that generates cool AI avatars and setting them in the user's profile.
* User authenticates with the malicious application.
* If the access control system enforces client constraints, the user also authorizes the application to write or append to their WebID Document.
* Application injects attacker's trust anchor into the user's WebID Document.
* The attacker can now completely impersonate the user, with full access to all the data owned by the user,
as well as access to any data shared with that user by others, to the full extent they granted to the impersonated user.

### Countermeasures

* There is no requirement to expose WebID Document via [[Solid.Protocol]] nor to host it in Solid Storage.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's needed if the end user wants to use a Solid app to update their photo and contact details.
That's a pretty common thing to do.
So if the main WebID doc is not editable, then all info that a user would want to edit (like contact details and photo) should be in extended profile docs using rdfs:seeAlso

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included it in the considerations section. I didn't mention rdfs:seeAlso because I see it as a very poor choice. We should pick or mint a dedicated predicate for that. All those details are outside the scope of this PR.

Copy link
Member

@jeff-zucker jeff-zucker Jun 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't mention rdfs:seeAlso because I see it as a very poor choice. We should pick or mint a dedicated predicate for that. All those details are outside the scope of this PR.

I very much agree that a dedicated predicate is needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if the main WebID doc is not editable, then all info that a user would want to edit (like contact details and photo) should be in extended profile docs using rdfs:seeAlso

And what happens if there is no rdfs:seeAlso in the WebID document? The user must manually request one? And suppose a different seeAlso is needed, does that go in the first rdfs:seeAlso and how many recursions are apps expected to go to find the seeAlsos in the seeAlsos? And if there are 10 seeAlso docs and the photo-album pointer is in the 10th - this means 10 loads instead of a maximum of one or two. There is no way for a user to prioritize public data by placing it where apps will see it first or second. Look at the diagrams I have posted above - with #2 (a dedicated predicated) there is a maximum of two loads to get to something prioritized. In #3, with only seeAlso, there is an unknown number of loads

Service providers who offer hosting of WebID Documents can minimally support
a set of discovery features that rely on the WebID document and provide a
highly secured interface to change it, possibly requiring two-factor authentication.

#### Considerations
Users need a way to manage their social profiles, approaches like linking from the user's WebID Document to
less protected vcard are available to accomplish it without opening discussed attack vectors.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Users need a way to manage their social profiles, approaches like linking from the user's WebID Document to
less protected vcard are available to accomplish it without opening discussed attack vectors.
Users need a way to manage their social profiles, approaches like linking from the user's WebID Document to
less protected vcard are available to accomplish it without opening discussed attack vectors.
For performance reasons, applications may only read the primary WebID Profile Document and ignore useful information which may only be available from additional profile documents.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are you basing this performance aspect on?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Users need a way to manage their social profiles, approaches like linking from the user's WebID Document to
less protected vcard are available to accomplish it without opening discussed attack vectors.
Users need a way to manage their social profiles. Approaches like linking from the user's WebID Document to
less-protected vcards are available to accomplish this without opening discussed attack vectors.
For performance reasons (e.g., the time required to retrieve multiple linked documents from
remote services), applications may choose to only read the primary WebID Profile Document and
ignore possibly useful information which may only be available in additional profile documents.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something like:

  1. GET https://solid-protocol-conforming-server.example.net/profile/card#me

O(1)

vs.

  1. GET https://non-solid-protocol-conforming-server.example.com/profile/card#me
  2. GET https://solid-protocol-conforming-server.example.net/profile/card#me
  3. ...

O(n)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My suggestion doesn't have 3. ... So we have O(1) and O(2), if we have a list of n users we would have O(n) and O(2n).