Convopage
See the entire conversation
Phil Ames
@philames
Nice docs by
@fugueish
on service worker security considerations:
Service Worker Security FAQ - The Chromium Projects
Home of the Chromium Open Source Project
sites.google.com
111 replies and sub-replies as of May 13 2017
Chris Palmer
@fugueish
Only the errors are due to me. 🙂 Lots of help from
@slightlylate
,
@estark37
,
@sirdarckcat
,
@ericlaw
, many others!
CopperheadOS
@CopperheadOS
How long can a SW receive occasional sync events after the user visits a site installing one? Do those stop if the user doesn't go back?
CopperheadOS
@CopperheadOS
i.e. if a user visits a site, does that mean it gets to occasionally run a little bit of code forever unless the user clears their cookies?
CopperheadOS
@CopperheadOS
Or do those events stop if the user hasn't gone back for a certain amount of time? That would address much of the security concern.
Alex Russell
@slightlylate
No.
Eric Lawrence
@ericlaw
When you say "occasional sync events" are you asking about activations due to push notifications?
CopperheadOS
@CopperheadOS
WICG/BackgroundSync
BackgroundSync - A design and spec for ServiceWorker-based background synchronization
github.com
Alex Russell
@slightlylate
That has back off behaviour and total invocation limit.
CopperheadOS
@CopperheadOS
How long after the user has visited a site can it get an event though? Can a site register a monthly sync event for a whole year?
CopperheadOS
@CopperheadOS
Not seeing documentation on the limits of this. If a user visits a malicious site, how long are they exposed to running code from there?
CopperheadOS
@CopperheadOS
Not worried about farming out CPU usage but rather the potential of a long-term persistent beachhead to exploit at some point the future.
Chris Palmer
@fugueish
Can you describe an exploit scenario? Are you concerned about people opting in to push notifications from a purposefully malicious origin?
CopperheadOS
@CopperheadOS
Yeah, that's one possible scenario. Also wasn't sure if those periodic background sync events (rather than push) required a permission.
CopperheadOS
@CopperheadOS
Basically an attacker being able to persistently run code, with the user not being aware that the site is still able to run code.
CopperheadOS
@CopperheadOS
Even if at some point they needed to allow it, there doesn't seem to be any prominent user-facing UI (site settings isn't ) showing these.
CopperheadOS
@CopperheadOS
So for example, an attacker has a window to exploit the publicly disclosed bugs every Chrome release cycle, particularly for ChromeOS.
CopperheadOS
@CopperheadOS
Since ChromeOS releases lag a fair bit behind and have a feeling users take a much longer time to reboot... update notification is subtle.
CopperheadOS
@CopperheadOS
vs. before, where the user actually has to visit the malicious site when attacker has working exploit for their version, way less likely.
Chris Palmer
@fugueish
To be clear, we're talking about a malicious site that has enough of a value proposition to get people to give it push permission?
Chris Palmer
@fugueish
1.
gauntface.github.io/simple-push-de…
2. chrome://serviceworker-internals/ 3. chrome://settings/search#clear%20browsing%20data, Clear ...
Chris Palmer
@fugueish
4. chrome://serviceworker-internals/ 5. Close Simple Push Demo tab 6. chrome://serviceworker-internals/
Chris Palmer
@fugueish
It looks to me like Clear Browsing Data clears Service Workers. (You can also deny SWs by not letting sites set local data.)
CopperheadOS
@CopperheadOS
And lose all other forms of local data as part of that, which is not practical, so this is being forced onto users in practice.
Chris Palmer
@fugueish
Clear Browsing Data is the well-known UX for clearing out one's browser profile, and it works. Maybe we could add a specific [x] for SWs.
Chris Palmer
@fugueish
But I think "forced" seems a bit strong. Especially given
sites.google.com/a/chromium.org…
-
Service Worker Security FAQ - The Chromium Projects
Home of the Chromium Open Source Project
sites.google.com
Alex Russell
@slightlylate
Clearing site data already clears your SWs.
Eric Lawrence
@ericlaw
I think the idea is that maybe you want to keep your other site data but nuke your workers.
Alex Russell
@slightlylate
Struggling to understand why. A SW w/o the caches/IDB dbs is blind and mute. Getting a half-broken app isn't in the user's favour.
Chris Palmer
@fugueish
I think
@CopperheadOS
is looking for the reverse: local data w/o SWs. Would still likely result in a half-broken app. 🤷🏻♂️
Alex Russell
@slightlylate
Yeah... Don't get that
CopperheadOS
@CopperheadOS
It's a security issue, mostly not a privacy issue (but it's that too, separate from the security issue).
CopperheadOS
@CopperheadOS
It being able to update and run code in the background only spread out by lots of time and for short periods of time doesn't lessen that.
Chris Palmer
@fugueish
If you can write up an attack scenario, preferably with a PoC, we have a VRP. Prove me wrong. 🙂
CopperheadOS
@CopperheadOS
When was it implied there was a vulnerability? A huge new form of attack surface exposing users to more danger != something covered by that.
CopperheadOS
@CopperheadOS
s/attack surface/attack vector/ to be clearer
CopperheadOS
@CopperheadOS
If we pretend Chrome is bug-free, then there isn't a security issue. Still a major new form of invisible user tracking for web sites though.
CopperheadOS
@CopperheadOS
Users see which sites are open. On the other hand, cookies and these are effectively invisible, but cookies don't run code and update in bg.
CopperheadOS
@CopperheadOS
User leaving open a malicious site for 3 months vs. visiting once, never going back, but being persistently exposed to attacks is different.
Chris Palmer
@fugueish
I think/hope you'll find that the API surface available to SWs is not as extensive as you seem to think.
Chris Palmer
@fugueish
We also historically have rewarded generously for partial exploit chains.
CopperheadOS
@CopperheadOS
Updated JavaScript code + network access with a periodic sync event is really bad. Haven't been thinking about anything else, really.
Alex Russell
@slightlylate
Just so we're super clear: backround sync API is one-shot sync, not periodic.
CopperheadOS
@CopperheadOS
Yeah, but they do exist, and the permissions don't communicate the privacy and security risk, which seems to be missed anyways.
Alex Russell
@slightlylate
We have thought hard about all of these aspects. Of course, might have missed something! Looking forward to your POC = )
Andrew Ayer
@__agwa
FAQ suggests push notifications are just one of the ways to keep SWs running. What are the others? Do they all require user permission?
Alex Russell
@slightlylate
Background Sync will allow one-shot wakeups. No ability to schedule arbitrary wakeups w/o user consent.
CopperheadOS
@CopperheadOS
The user isn't consenting if they're only accepting something like notifications, not background coarse location tracking via IP, etc.
CopperheadOS
@CopperheadOS
Notifications / push != persistent, background application to an end user, even experts on web standards and security that missed this.
CopperheadOS
@CopperheadOS
Is there a sample application somewhere with use of periodic events, rather than push?
Alex Russell
@slightlylate
There is no periodic sync implemented anywhere, in any browser. Does not exist.
Alex Russell
@slightlylate
...which folks who play with the API or look the source code can know easily. E.g.:
cs.chromium.org/chromium/src/t…
Alex Russell
@slightlylate
Nobody "missed" this. It was discussed to death.
CopperheadOS
@CopperheadOS
If you discussed the same things implied here (tweets are too short to actually write it all out) and deployed it, that makes it worse.
Chris Palmer
@fugueish
Post a background geo-IP tracker PoC.
CopperheadOS
@CopperheadOS
Why? Not interested in helping Chromium development based on bad interactions with Chromium developers, unlike Android.
CopperheadOS
@CopperheadOS
Just trying to understand reasoning and what was or wasn't considered. Quite aware it's not going to get removed or crippled from how it is.
Alex Russell
@slightlylate
Consider Android: do users believe they're giving up the ability for an app to ping servers when they allow notifications?
Alex Russell
@slightlylate
And recall here that Android allows silent push notifications (which we do not).
CopperheadOS
@CopperheadOS
Android has code signing and users explicitly install the apps.
CopperheadOS
@CopperheadOS
And sure, understand the goal with these standards is to compete with native apps. Except the consent and signing model is not present...
Alex Russell
@slightlylate
Users explicitly opt-in to per-site notification permissions here. Nothing is implicit.
Alex Russell
@slightlylate
And what does signing buy? We can kill-switch bad push senders just as (or more) easily.
CopperheadOS
@CopperheadOS
Yeah, not buying that. Google claims to police GCM too. Don't believe in the enumerating badness and IDS fluff.
CopperheadOS
@CopperheadOS
Signing means a compromised server doesn't allow executing code on the user's device and obtaining the data they have stored in that app.
CopperheadOS
@CopperheadOS
TLS isn't comparable to code being signed and verified, not just authentication of the transport layer between an app and the server.
CopperheadOS
@CopperheadOS
Although, the end goal seems to remove what little user control, privacy and security exists so makes sense why it wouldn't be considered.
CopperheadOS
@CopperheadOS
User data controlled by the user and not stored on a cloud server without end-to-end encryption is apparently just a problem to be solved.
CopperheadOS
@CopperheadOS
Fundamentally incompatible views on how software should work -> misunderstandings and unproductive discussion.
CopperheadOS
@CopperheadOS
They consent to notifications, not to persistent background code execution, as I stated. There's also no ongoing consent to it like apps.
Alex Russell
@slightlylate
What is the delta in "ongoing consent"? If users tap into the "site settings" link on every push, they can remove push.
CopperheadOS
@CopperheadOS
Users have expectations about what a web page is and it's not persistent code that can run without the site open.
CopperheadOS
@CopperheadOS
"Allow notifications" or "Allow push" definitely doesn't imply or communicate that, and there's another big difference from Android and iOS.
CopperheadOS
@CopperheadOS
Android and iOS directly present the installed apps to the user. It's front and centre. They explicitly install, and see which are there.
CopperheadOS
@CopperheadOS
If you list service workers on new tab page, users can drag them to a trash bin and there's a prompt to install, then I have no complaints.
Alex Russell
@slightlylate
Service Workers are not a user concept. Push notifications are, so we enable management of *those*.
CopperheadOS
@CopperheadOS
Except you don't ask users for consent for the security and privacy implications, you ask them for consent to display notifications.
CopperheadOS
@CopperheadOS
You also don't acquire their ongoing consent, since there isn't a prominent list of every app that's doing this with an easy way to remove.
Alex Russell
@slightlylate
It's *right in your face* when you get a notification. Literally under your thumb. Every time.
CopperheadOS
@CopperheadOS
The fact that there's an app running is in no way clear.
Alex Russell
@slightlylate
Do you mean except for the fact that we force the site to show a notification (or show one on it's behalf)?
CopperheadOS
@CopperheadOS
So unlike iOS and Android apps, it's invasive without consent, and a misleading notification prompt doesn't change anything.
Alex Russell
@slightlylate
...and in our model users are always presented with UI when work happens on behalf of an origin, giving them control.
CopperheadOS
@CopperheadOS
Users don't need to search for a web application in a store and then explicitly install it. Completely different model for code signing too.
Chris Palmer
@fugueish
To prove your claim, and because we love to reward bug reporters. I think you'll find we have earned a good reputation on that point.
CopperheadOS
@CopperheadOS
There aren't rewards for a WONTFIX / NOTABUG or DUPLICATE result. It's not productive when it's already clear what the result will be.
CopperheadOS
@CopperheadOS
Not planning on doing free work for any company. Submit Android bugs when they are found along the way, doing paid work.
Andrew Ayer
@__agwa
So if you're on a different network when connectivity is restored, you leak to site new IP address. Even if you never visit that site again.
Andrew Ayer
@__agwa
You also leak to network operator that you previously visited that site due to DNS/SNI/etc. leaks.
Andrew Ayer
@__agwa
Seems bad to permit this without user consent.
Alex Russell
@slightlylate
We have discussed that at length too.
CopperheadOS
@CopperheadOS
Discussed at length != addressed the concerns or came to conclusions that other people think is reasonable.
CopperheadOS
@CopperheadOS
Pretty sure there's internal discussion on a lot of things that are unreasonable, like telling sites build id + phone model / OS build id.
CopperheadOS
@CopperheadOS
Or giving precise details on GPU information and allowing dumping of the rendered buffers. Or the battery API that's not even portable.
Alex Russell
@slightlylate
Every API we add has the potential for misdesign. That's why we focus on working in standards and ensuring impl flexibility.
Alex Russell
@slightlylate
For instance, for one-shot background sync, one idea we discussed was only allowing site/network pairs that had been previously seen.
Alex Russell
@slightlylate
And the API has been designed to allow a flexible policy like this should we decide it's better in the future.
Alex Russell
@slightlylate
...and designing it this way lets UA's decide what the want to do. API designed w/ promises to enables prompting:
SyncManager.register()
The SyncManager.register method of the SyncManager interface returns a Promise that resolves to a SyncRegistration instance.
developer.mozilla.org
CopperheadOS
@CopperheadOS
Issue is not really API design, it's a fundamentally different view on a what a browser should be. Anyway, we'll see how it goes.
CopperheadOS
@CopperheadOS
The Google Play instant apps feature is approaching the same disaster from the other direction. I guess those will even be on ChromeOS now.
Chris Palmer
@fugueish
Fetch events created by in-page JS (no permission, as normal)
Alex Russell
@slightlylate
That's tied to the page lifetime. Page closes == no way to wake up SW w/ fetch event.
Alex Russell
@slightlylate
Basically that matches the user's intuition about pages: they can run JS when open. Not new.
Chris Palmer
@fugueish
If someone shows our controls&mitigations aren't as effective as we thought, we often reward for that.
CopperheadOS
@CopperheadOS
Is that permission required for background sync? Not talking about push. chrome:// URLs are for developers, not something users see / use.
CopperheadOS
@CopperheadOS
"show notifications" also isn't communicating that it means the site persists as something that's able to run in your browser.
Chris Palmer
@fugueish
The document you linked to shows that BG sync requires a permission. The chrome:// URLs are just for you to test.
Chris Palmer
@fugueish
What do you mean by "sync event"? Push notifications? (Push notifications require user permission:
gauntface.github.io/simple-push-de…
)
CopperheadOS
@CopperheadOS
No, bg sync events (linked to the doc above). Pretty sure those don't need permission, although Android (not desktop?) has a global toggle.
Chris Palmer
@fugueish
Those are also gated by (origin-scoped) permissions.
Owen Campbell-Moore
@owencm
Background sync fires an event once when the device comes back online. No concept of "periodic" running in background.
Chris Palmer
@fugueish
also
@alexainslie
@lgarron
@jaffathecake
and more whose Twitter handles I don't know...