initial WebID Document considerations #9
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -118,3 +118,39 @@ The attacker writes a malicious `text/html` file to the server. Depending on the | |||||||||||||||||||||||||||||
| #### Considerations | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using `Content-Security-Policy: sandbox` will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction. | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ## Protecting WebID Document ## {#protecting-webid-document} | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| Solid access policy enforcement heavily relies on the identities of agents. Requesting Parties are identified | ||||||||||||||||||||||||||||||
| with [[WebID]] and applications with ClientID [[Solid.OIDC]]. | ||||||||||||||||||||||||||||||
| User's WebID Document includes trust anchors, like designation to their [[Solid.OIDC]] Provider (aka. issuer). | ||||||||||||||||||||||||||||||
| In other approaches, public keys could be published or discoverable via the user's WebID Document. | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ### Fully impersonate the user | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| If the malicious app can write or append to the user's WebID, it could inject trust anchors, allowing complete impersonation. | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| #### Prerequisites | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| * Authorization system depends on a specific trust anchor in the user's WebID Document. | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
| For example, [[Solid.OIDC]] issuer designation or pubic keys/keyset. | ||||||||||||||||||||||||||||||
| * User authorizes a malicious application to write or append to their WebID Document. | ||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. The context of malicious application is unclear here. Whether it is something that adheres to Solid Protocol interacting with a Solid storage, or just generally anything potentially having the means to update the WebID Profile Document. They are separate cases, and whether or to what extent this document (Solid Security Considerations) should touch on WebID Profile Documents that are not available via the Solid Protocol needs a consideration.
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| #### Attack | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| * The attacker publishes a malicious application, such as generating cool AI avatars and setting them in the user's profile. | ||||||||||||||||||||||||||||||
| * User authenticates with the malicious application | ||||||||||||||||||||||||||||||
| * If the access control system enforces client constraints, the user also authorizes the application to write or append to their WebID Document. | ||||||||||||||||||||||||||||||
| * Application injects attacker's trust anchor into the user's WebID Document | ||||||||||||||||||||||||||||||
| * The attacker can completely impersonate the user, which allows full access to all the data owned by the user. | ||||||||||||||||||||||||||||||
| As well as any data shared with that user by others, with the full extent of access they granted to the user. | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ### Countermeasures | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| * There is no requirement to expose WebID Document via [[Solid.Protocol]] and host it in Solid Storage. | ||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. This needs more nuance. Technically true for any WebID Profile Document but not true for Solid WebID Profiles. In other words, WebID Profile Documents served from a Solid Storage - which is a core requirement from Solid use cases - naturally use the Solid Protocol. There was a problem hiding this comment. Solid Protocol 0.11 doesn't depend on a WebID profile draft. If Solid Protocol 0.11 requires a WebID Document to be exposed via the Solid Protocol, please link it in this thread. There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. @elf-pavlik , in https://github.com/solid/security-considerations/pull/9/files#r1626487426 you are now using Solid application as the prerequisite of the attack. That's obviously only meaningful in the context of the Solid Protocol and hence Solid storage since Solid applications can't be guaranteed to do anything against servers that do not conform to the Solid Protocol. If the idea is to only detail attacks pertaining to WebID Profile Documents hosted on a Solid storage and that their trust anchors could change, then stick to that. There was a problem hiding this comment. Hosting a WebID Document in Solid Storage makes this attack possible. One proposed countermeasure is not to host the WebID Document in Solid Storage.
There was a problem hiding this comment. So, the take away is that if we don't use Solid, the system will actually be more secure? =) Maybe we need to rethink that... A similar attack categorically exists when the document is not hosted on a Solid storage. Whatever takes to modify the trust anchor. There was a problem hiding this comment. Please consider comparing it to a secured house with a security safe inside. While the house already has a security system, some critical items are protected by being placed in a security safe. Does it make no sense to use the safe if you can't fit the whole house in it? There was a problem hiding this comment.
Right. I think this PR is saying "if you need to host a WebID Document securely, don't do it with Solid". What I think we should be doing here is "If you need to host a WebID Document securely on a Solid storage, here's how to do it". There was a problem hiding this comment. Those two approaches are not mutually exclusive. One may be available today, and one could be made available sometime in the future. If you have an alternative countermeasure, please create a PR. There was a problem hiding this comment.
We also need to rethink removing user control over the most important document in the Solid ecosystem. @elf-pavlik mentioned how many members of the CG have their WebIDs hosted on non-Solid servers but that is really irrelevant. A CG member does not lose control over their WebID, they know how to edit it and what the edits mean. This does not apply to the general public who could benefit from a profile-editing app that informs them of what their changes mean. |
||||||||||||||||||||||||||||||
| WebID providers can support only a set of discovery features relying on the WebID document and provide | ||||||||||||||||||||||||||||||
elf-pavlik marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||||||||||||||||||||||||
| highly secured interface to change it, possibly requiring two-factor authentication. | ||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. Instead of "WebID provider", can this be expressed using other terms related to, e.g., "Solid storage", "WebID Profile Document", "HTTP server", "OAuth Identity Provider" or something else? The user was tricked into authorizing the application, it is unclear how 2FA would actually be a countermeasure besides introducing additional steps to the user. If the idea is that the user should be made aware of all or any "important" changes to the WebID Profile Document (in which the trust anchor is being injected) in the form of having them go through 2FA, this can be made more clear in the text. This countermeasure also seems to punt the problem. It seems to essentially boil down to user being made aware of potentially unwanted changes to their WebID Profile Document. Perhaps this should jump out more in the text? |
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| #### Considerations | ||||||||||||||||||||||||||||||
| Users need a way to manage their social profiles, approaches like linking from the user's WebID Document to | ||||||||||||||||||||||||||||||
| less protected vcard are available to accomplish it without opening discussed attack vectors. | ||||||||||||||||||||||||||||||
|
There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. What are you basing this performance aspect on? There was a problem hiding this comment.
Suggested change
There was a problem hiding this comment. There was a problem hiding this comment. My suggestion doesn't have 3. ... So we have O(1) and O(2), if we have a list of n users we would have O(n) and O(2n). |
||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...except that the WebID XG never published this, with or without a version declaration. It would be better to title it as what it was,
"WebID 1.0 Editor's Draft"(which must be read and understood as"Editor's Draft of WebID 1.0") ... and of course, the document now served from that location says "Draft Community Group Report 05 March 2014", which is similarly but differently inaccurate and contrary to the "publisher" identified here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case we can't quickly resolve it in this PR I created a dedicated issue for it #10