keeping secrets in the browser - Pragmatic Web Security
21
@PhilippeDeRyck – [email protected] PHILIPPE DE RYCK PHILIPPE DE RYCK SECURITY PATTERNS FOR KEEPING SECRETS IN THE BROWSER
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of keeping secrets in the browser - Pragmatic Web Security
@PhilippeDeRyck – [email protected] DE RYCKPHILIPPE DE RYCK
SECURITY PATTERNS FORKEEPING SECRETS IN THE BROWSER
@PhilippeDeRyck 2
Pragmatic Web Security
High-quality security training for developers and managers
- Deep understanding of the web security landscape
- Google Developer Expert (not employed by Google)
DR. PHILIPPE DE RYCK
- Author of the primer on client-side web security
Custom courses covering web security, API security, Angular security, …
- Course curator of the SecAppDev course (https://secappdev.org)
@PHILIPPEDERYCK
HTTPS://PRAGMATICWEBSECURITY.COM
@PhilippeDeRyck 3
Request
Response containing a secret
@PhilippeDeRyck 4
https://www.restograde.com
JavaScript libraries and services
User-provided content
3rd party components
@PhilippeDeRyck 5
https://restograde.com
(https, restograde.com, 443) (https, restograde.com, 443)
https://restograde.com
(https, restograde.com, 443)
@PhilippeDeRyck 7
LOCALSTORAGE
LocalStorage is accessible for every context in the origin
Useful to store long-term non-sensitive data
https://restograde.com
(https, restograde.com, 443) (https, restograde.com, 443)
https://restograde.com
(https, restograde.com, 443)
A
B
A
A B
@PhilippeDeRyck 9
SESSIONSTORAGE
SessionStorage is accessible to a set of browsing contexts within an origin
Useful to store client-accessible data during a “session”
https://restograde.com
(https, restograde.com, 443) (https, private.restograde.com, 443)
https://restograde.com
(https, restograde.com, 443)
(https, restograde.com, 443)(https, private.restograde.com, 443)
Abuse is restricted to the exposed interface
@PhilippeDeRyck 11
ISOLATING LOCALSTORAGE PER ORIGIN
Origin-based isolation limits access to LocalStorageExposed interface can implement access control rules
Useful to store sensitive data
@PhilippeDeRyck 12
KEY TAKEAWAY
• Create an origin without third-party code or user data
• Expose a limited set of operations (e.g., read-only)
• Enforce an origin-based access control policy on operations
ORIGIN-BASED ISOLATION IS ASTRONG ISOLATION MECHANISM
@PhilippeDeRyck 13
https://restograde.com
(https, restograde.com, 443) (https, private.restograde.com, 443)
(https, private.restograde.com, 443)
Request with authorization information
Retrieve user-specific key from backend
Use WebCrypto to load the key and
encrypt/decrypt data
@PhilippeDeRyck 16
ENCRYPTION WITH A SERVER-PROVIDED KEY
The server provides a user/device-specific key
Useful to handle encrypted data in online scenarios
Request password
********
Request the application password
from the user
Use WebCrypto to transform password
into a key
Use WebCrypto for encrpyting/decrypting
data
@PhilippeDeRyck 18
ENCRYPTION WITH A PASSWORD-DERIVED KEY
The user provides an application password, which is transformed into an encryption/decryption key
Useful to handle encrypted data in offline scenarios
@PhilippeDeRyck 19
THE BROWSER IS NO PLACE FOR SECRETSAvoid storing sensitive data in the browser if you can1STORE SECRETS IN A DEDICATED ORIGINOrigin-based isolation is a strong browser security mechanism2CONSIDER ENCRYPTING SENSITIVE DATABrowser data is easily accessible from outside the browser3
@PhilippeDeRyck 20https://pragmaticwebsecurity.com/talks/browsersecrets
