Privacy Risks of The Things Directory, WoT Servient Gateway, and Gateway

[jasonanovak]

The Things Directory, WoT Servient Gateway, and Gateway with Remote Cloud are discussed as Examples of WoT security configurations but they aren’t discussed as privacy risks, e.g.:

• The Thing Directory can amass a profile of the Thing Descriptions that a given client downloads, and, by extension, have knowledge about that user’s home configuration;
• The Thing Gateway is not considered in the risks and seems like it has privacy risk insofar as it would be a mechanism to intercept and amass a user’s interactions with their Things.

[mmccool]

Some related risks are already discussed in the Security and Privacy Considerations document. However, your specific point is correct: the Thing Directory can be a privacy risk; so it has to be running somewhere you can trust will not "leak" your information. This could be in a trusted cloud service (do you trust Amazon?) or running on your own gateway (probably most useful in corporate contexts, where it would be managed by IT).

We should add a note about this point to the Security and Privacy Considerations.

Gateways doing bridging have similar issues if they have to decrypt payloads, transform them, and re-encrypt. So if they do this they have to be trusted. If your gateway is not trusted then you should avoid doing certain things on it. One approach is just sending encrypted data directly to the cloud, but this (a) is inefficient (b) just pushes the need for trust to the cloud service.

[ereshetova]

The https://github.com/w3c/wot-security/pull/90 should address this by explicitly listing Things Directory as an attack surface that is formally out of scope. However, we have added a placeholder for a new subsection, where we can discuss general recommendations for building secure Things Directories. Similar with other nodes, such as WoT Servient Gateway, while in our WoT threat model we don't assume them being compromise, we will provide recommendations in a new subsection for end-to-end security in a presence of untrusted Gateway.

[mmccool]

So it is now part of our threat model, but there are no details yet (just empty sections). Will leave this issue open until sufficient detail has been added.

[mmccool]

See discussion under https://github.com/w3c/wot-security/issues/72. We are considering creating a separate privacy section to make these considerations easier to find in one place. Note that we want to differentiate between attacks (eg malicious gateway) and privacy risks under "normal operation". The privacy section should focus on the latter case... which means this issue is a "confidentiality" security risk, but not necessarily privacy per se since it's not a normal expected operation mode.

[mmccool]

@jasonanovak would you mind reviewing this issue and the others you have created in wot-security? We have made some progress against the issues you raised and would like your input.

[mmccool]

Still open; we added the section for this, but it's still mostly empty...

[mmccool]

I think we've dealt with all these issues in our current draft. Since @jasonanovak has not replied, we will have to assume the resolution is satisfactory... we can reopen if necessary in the future.