Suggestion: all publications should require user consent for scripting and network access

[GJFR]

This comment is based on https://www.w3.org/TR/epub-rs-33/#security-privacy-recommendations:

Reading systems that allow users to load untrustworthy EPUB publications (e.g., unsigned EPUB publications through the process of "sideloading") SHOULD treat such content as insecure (e.g., prompt users to allow scripting and network access).

In my opinion, there are several compelling reasons why it’s necessary to treat all EPUB publications as insecure and to not make a distinction between sideloaded and non-sideloaded publications:

• The vetting process of most e-book vendors that provide self-published EPUB publications is inadequate, as shown in Section VII.B. Malicious EPUB distribution through self-publishing of our paper. Here, we demonstrate that huge vendors like Amazon, Apple Books and Kobo can be abused to distribute malicious publications.
  • In this experiment, even simple injections of scripts and network access can be done without any vetting circumvention tactics.
  • Input validation is a challenging problem, and even if vendors improve their vetting processes, it’s not a guarantee that complex attacks can’t occur.
  • Vendors are not transparent about their vetting processes, and it’s possible that some of them don’t even prioritize end-user security and privacy. Furthermore, we did not receive any reply from the affected vendors indicating that they will remedy the issue.
• Not only self-published publications but also established publishing houses might use scripting and network access to track the reading habits of customers. End-users should be able to block this.
• Requiring user consent before allowing scripting and network access is a very cost-effective and necessary layer of defense for all EPUB publications. This implementation cost is negligible as it’s already recommended for sideloaded publications.

In summary, according to me and as evidenced by our prior research, relying on user consent is a more effective way to address security and privacy concerns in EPUB publications than relying on intransparent vendor-side vetting processes.

[iherman]

Are you o.k. with #2546, @GJFR ?

[GJFR]

Ahhh sorry, it seems I've missed https://github.com/w3c/epub-specs/pull/2546! Yes, that would also resolve my concerns!