search

privacycg / proposals

New proposals in the Privacy Community Group
https://privacycg.github.io
124 stars 5 forks source link

Privacy by design with browser-managed E2E encryption and Fenced Frames #31

Open Minigugus opened 2 years ago

Minigugus commented 2 years ago

Offline-only storage

TLDR Add built-in end-to-end encryption support into web browsers, and prevent first-party from leaking data by denying network access once enabled. Also, allow users to choose where their encrypted data should be stored (not an issue for the web site publisher as it won't be able to read data anyway, because of E2E encryption)

Here is a summarized description of traditional architecture for web apps:

flowchart LR;
  subgraph P ["Back-end (Publisher's servers)"]
    SPB("Web app");
  end

  subgraph C ["Front-end (Consumer device)"]
    SC(User);
    subgraph BB ["Web browser"]
      SPF("Web app");
      B("Storage API");
    end
  end

  style BB fill:darkblue,stroke-width:0px;

  SC-->|Request/Update|SPF;
  SPF-->|Respond/Inform|SC;
  SPF-.->|Request/Update|SPB;
  SPB--->|Front-end code|SPF;
  SPB-.->|Respond/Inform|SPF;
  SPF-->|Process|SPF;
  SPB-.->|Process|SPB;
  SPF-->|"Write"|B;
  B-->|"Read"|SPF;

This architecture works great, except for privacy: the web app publisher owns users data (or at least this architecture requires the web app publisher to have full access to users data, in order for the web app to work properly). This is an issue, for users, but also for the web app publisher:

Actually, with this architecture, the web app publisher doesn't really have the choice to own user data. The modern web offers solutions to theses issues (e.g. PWAs), but that's not enough for web apps in production that could leverage browser storage as main storage provider (e.g. single player games, IDEs, authenticators/passwords managers apps):

Theses are true blockers for many web apps that could work entirely without a back-end. A good example of such apps are single-player games, or even authenticator/passwords managers apps: web app's publisher must not be able to access highly sensitive user data, and once loaded, the app doesn't need a server to provide credentials (OTP for instance), then the best would be to only store user data client-side only, but that's risky: the browser may not encrypt browser's storage, and even worse, the user might accidentally clean application storage permanently, which is extremely dangerous for OTP. As a result, authenticator/passwords managers apps can't be built as web apps, or at least required E2E encryption + authentication, which is costly for the publisher, and don't prevent all security risks (on compromised update of the front-end code could still leak sensitive user data). As explained below, the solution proposed here try to address these issues with a small architecture change for web apps that opt-in.

Proposed solution: External storage provider + Fenced frames

Offer to web apps a way for storing all data client-side rather than server-side, but with the trade-off of loosing network access (to prevent data leaks):

flowchart RL;
  subgraph C ["Front-end (Consumer device)"]
    SC(User);
    subgraph BB ["Web browser"]
      B("Storage API");
      SPF("Web app");
    end
  end

  subgraph S ["Storage provider environment"]
    SSP("Storage provider");
  end

  subgraph P ["Back-end (Publisher's servers)"]
    SPB("Web app");
  end

  style BB fill:darkblue,stroke-width:0px;
  style SSP fill:green,stroke-width:0px;

  SC-->|Request/Update|SPF;
  SPF-->|Respond/Inform|SC;
  SPF-->|"Write"|B;
  B-->|"Read"|SPF;
  B==>|"Persist"|SSP;
  SSP==>|"Retrieve"|B;
  SPB--->|Front-end code|SPF;
  SPB-.->|Inform|SPF;
  SPF-->|Process|SPF;
  SPF-.->|Request/Update|SPB;

  linkStyle 4 stroke:green,stroke-width:4px;
  linkStyle 5 stroke:green,stroke-width:4px;
  linkStyle 9 stroke:red,stroke-width:4px;

As shown above, the proposed solution consist of 2 parts:

As a result, web apps using the offline-only storage will always respect user privacy. Browsers should then inform the user about that positive point, so that web apps get "rewarded" with happier users (much like with the green lock when websites preferred HTTPS over HTTP). That way, the web should tend to become safer at the same time.

For quite obvious reasons, the proposed solution have to be opt-in for web apps providers, or it would break all the web. The "how" is still to be discussed thought.

Pros

Cons

Implementation details

While this document is entitled "Offline-only", not all requests are expected to be blocked: actually, here, the meaning of "offline-only" is more "side-effect free", i.e. that can't leak user data content. For instance, requests resulting of a user navigation are side effect free, because the server can't infer anything about the user data content (assuming the URL wasn't generated using user data - the anchor (<a>) case is still to be discussed thought). On the other side, it's not possible for the web browser to know which fetch('http(s)://...') requests are side effect free, so they should be blocked. JS-triggered requests may still be allowed on some cases thought, for instance with prefetched SXG, but it's still to be discussed. Furthermore, note that readonly communication is still allowed while having user data access (e.g. via postMessage (with SharedArrayBuffer disallowed), or reading Unpartitionned Storage).

Depending on the feasibility, it might be possible to allow web apps to work in both trusted (user data access, communication restrictions) and untrusted (no user data access, no communication restriction) modes, at the same time: for instance, the service worker might be running in an untrusted context and the main page in a trusted one. The service worker would be able to send messages via postMessage to the main page when a push notification is received for instance.

Concerning how a web app request trusted mode, multiple solutions are available for discussion:

Offline-only storage could work in private browsing, since no user data would leave the browser anyway.

Link with Fenced Frames

The proposed feature could work like how Fenced Frames' read-only mode works. The main difference, however, is that a web app should be able to self-enter isolation mode (with some API), i.e. could work on top-level frames. This is important to allow browsers to notify the user that the displayed web page now operate privatly (good for web site reputation), and also to avoid top-level web documents to display a sole Fenced Frame HTML element when they want to use privacy-restricted APIs.

Other points to discuss:

Conclusion

The suggested feature is ambitious, there are some implementation challenges to overcome, yet implications for security, privacy and web's future are worth a look. Not all web apps can use the proposed storage, but at least some could, empowering users by letting them deal with their data as they which. Anyway, I hope this document could contribute to W3C privacy goals for the web.

Related

EDIT 2021/05/27: realized it's a form of E2E encryption (simpler to describe) EDIT 2021/05/29: added the Storage Access API as a good candidate for implementing this API on EDIT 2021/05/30: added links with Fenced Frames read-only mode

ajpauwels commented 2 years ago

Hello all, really enjoy this post. The web has a privacy and data problem, and it stems from its basic storage model as is highlighted in this post.

Redact is an open-source implementation of exactly a protocol like the one described here, with some modifications. For one, there is no deep integration with browser code, the frame implementation is provided via a server that runs locally next to the browser.

Although it is not feature complete and alpha at best, there is a functional "redacted" website which can be accessed and browsed via a regular web browser securely after the basic software is installed locally. It includes:

You can get started with it here: https://docs.redact.ws/en/latest/

If the privacy community group has any interest in discussing something like this I would love to be a part of that discussion!

I'll also drop a link to a discussion in a rust group about this here.

ghost commented 2 years ago

Hi all! An interesting question is it possible to integrate Solid with this proposal here? @ajpauwels @Minigugus @hober @dmarti @chrisn

1. Context

1.1 What is WebAuthn?

WebAuthn is a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices (phones, laptops, etc) as factors. It uses public key cryptography to protect users from advanced phishing attacks.

1.2 Why use WebAuthn?

  1. WebAuthn is part of the FIDO2 framework, which is a set of technologies that enable passwordless authentication between servers, browsers, and authenticators. As of January 2019, WebAuthn is supported on Chrome, Firefox, and Edge, and Safari.
  2. WebAuthn is supported by the following web browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari and the Opera web browser. The desktop version of Google Chrome has supported WebAuthn since version 67.

1.3 What is Solid Project?

Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for your data.

1.4 Why use Solid?

  1. Any kind of information can be stored in a Solid Pod.
  2. You control access to the data in your Pod. You decide what data to share and with whom (be it individuals, organizations, and/or applications). Furthermore, you can revoke access at any time.
  3. To store and access data in your Pod, applications use standard, open, and interoperable data formats and protocols.

2. Possible solutions to general information security problems

  1. I believe that these proposals here like WebAuthn, Solid and 'Privacy by design with browser-managed E2E encryption are good for ensuring data privacy and security'.
  2. I keep asking and wondering if we couldn't put all these proposals together to create an algorithm that is even stronger and safer than ever. Perhaps it is an initial mistake to imagine that it should be possible to have security so good that it is "impenetrable", "secure", "strongest" ever.
  3. I have more doubts than the statements I spoke above, I spoke in a sense of concept and idea in terms of draft proposal.
  4. WebAuthn is approved as new web standard for passwordless logins. This will allow users of WebAuthn-compatible browsers such as Chrome, Firefox, Edge or Safari to use this API as a mechanism to access their accounts through mobile devices, USB security keys or biometric systems, replacing the use of passwords and, while strengthening security. This system is more secure than one that offers a weak password, like the one often chosen by users.
  5. I believe login without passwords is the "best way" - in most cases users create easy passwords that only a brute force, phishing or social engineering attack "is easy to get access to this data, information". In this sense, I was happy with WebAuthn's proposal - because in my opinion it allows users to have an api to use login without passwords and this, in my opinion, is great progress. I know when it comes to data security and privacy and anonymity - there are always good things and bad things. That's why I think of a good path or direction for all sides.
  6. I wish there was a single standard for password management, I believe that for this to be done we must have an incredible proposal for it: WebAuthn, Solid and 'Privacy by design with browser-managed E2E encryption are good for ensuring data privacy and security'.
  7. My idea here is a doubt if it would be possible to integrate WebAuthn with this proposal here. So... I believe that the most "smart" browsers should manage passwords for the users. And most browsers do just that.

3. "Universal laws for optimal data security"

  1. Importing and exporting browser passwords must have a universal and encrypted password pattern. There is a technical discussion about Mozilla Firefox using the encryption format here: Encryption of passwords imported into a file.
    • The problem with passwords today is that every browser implements the way to import and export passwords.
    • I argue that to have good security/privacy of user data we have to have a universal standard in importing/exporting passwords. As a matter of technological, individual, philosophical and rational freedom
    • I believe that for this to be done, we have to adopt the standard of open solutions with MIT/GPL open licenses, etc.
    • Keepass is an open source solution for managing passwords, it would be nice to have the same file format for all web browsers. When I refer to a universal standard for importing/exporting passwords, I say that it would be interesting, as I said before, to adopt the keepass open format for this.
    • Keepass has been around for a long time and is a well-established, popular solution known all over the world.
    • Adopting the Keepass format for importing/exporting passwords gives people more freedom. Well, Keepass software is licensed under the GPL - the same license as Linux. Which, in theory, will always be available openly.
    • It's 2022, and the bookmarks format is the same as it was in 1999. So why don't we have the same Keepass format for importing/exporting passwords in all browsers? - reference here Netscape bookmarks
  2. "Data is always from users regardless of whether it is government, company" - Only users can decide whether they want to give their data to governments or companies by contract, agreement, duty, law, free will, free initiative, autonomy - note: I don't know anything about justice, I'm not a lawyer, prosecutor or judge. Any of these points I can be wrong, I spoke here in general. If at this point I said something wrong, correct, criticize, present the fault and the solution. In that case, I will make the correction here.
    • When I talk about user data: I am referring only to registration data in logins or data that talk about users: political, health or philosophical data, etc.
    • And companies or governments can take care of user data only if the users allow it, want it, have the vote to do so.
    • Data security and privacy laws is a way or agreement to say and show this idea/concept.
    • We currently have the Solid pattern that addresses this concept, where users can store certain data in their Pods.
  3. "Browsers/websites/plataforms/social media know a lot about users, users don't always like or prefer to read security and data privacy policies". In this sense, passwordless login, e2e encryption can work to support users in general. Knowing this, the proposal here I think agrees with this idea that I write: 'Privacy by design with browser-managed E2E encryption are good for ensuring data privacy and security'.
  4. Users cannot always create secure passwords, there must be a way to create passwords for users themselves. This can be done with the Web Authn proposal.

4. My concept

  1. Import/export passwords in keepass format for all browsers
  2. Create a proposal on data security and privacy at the W3C by joining the following proposals: WebAuthn, Solid and 'Privacy by design with browser-managed E2E encryption are good for ensuring data privacy and security'.
  3. Browsers must be compatible with WebAuthn, Solid and 'Privacy by design with browser-managed E2E encryption are good for ensuring data privacy and security'.
  4. I found this question here: 'A question is it possible to use the FIDO protocol and hardware keys through E2E in browsers?' in [Proposal] Built-in E2E encryption into web browsers and I want built-in E2E encryption into web browsers+FIDO Protocol and Hardware keys

5. FAQ

The security/privacy risk is still present: compromised front-end code can still intercept user data (even with E2E encrypted apps: listening to DOM changes is enough)

  • If the browser is integrated with an offline authentication device, would it be possible to solve this security issue?
  • In case of logging in without passwords, we can usually authenticate with a usb device.
  • If the browser has E2E on an offline device - maybe it increases security? A new threat model emerge, where web apps may leak data via QR codes, file system access, and so on. These threats already exists, but they risk to become more intrusive than before. Anyway, web apps already get flagged as malicious when they try to harm users so mitigation already available.
  • Maybe 'E2E encryption into web browsers+FIDO Protocol and Hardware keys' can be an alternative to solve this kind of problem

6. Notes

  1. I would like to know if this idea is good or bad
  2. My goal is to help this communities: PrivacyCG, Solid, W3C, WIGC, WebAuthn, KeepPass, Browsers(Brave, Vivaldi, Opera, Mozilla Firefox, Libre Wolf, Google Chrome etc)
  3. I didn't find any link, resource for this here in PrivacyCG Community
  4. I'm not promoting any company, service, product, solution, idea here - just adding the bibliographic reference links
  5. If I'm wrong about something, speak up, criticize, correct

7. References

Minigugus commented 2 years ago

there is no deep integration with browser code, the frame implementation is provided via a server that runs locally next to the browser.

@ajpauwels I think you've understood the main point of this proposal :+1: Yet, running a local server, plus using a lot of iframes risk to slow down adoption of this proposal. Moreover, security measures are best implemented at browser level (for instance with Redact, it's not possible to protect against malicious web extensions).

If possible, like you, I would like to discuss this proposal further with those interested :slightly_smiling_face:

  1. You control access to the data in your Pod. You decide what data to share and with whom (be it individuals, organizations, and/or applications). Furthermore, you can revoke access at any time.

The goal of this proposal is especially to avoid privacy issues by never sharing user data with third-parties, so I don't think Solid is compatible and comparable with this project. Also, letting users choose what they want to share would require a common data format for data storage, which is really constraining both for website developers and browsers developers.

However, this proposal encourage WebAuthn for authentication with the storage provider.