As demonstrated in the paper, OPFS enables attackers to read more than just browsing habits, but also solid state gates’ data.
Meaning, if vendors require HPSA, they will need to redesign their entire threat model to an isolated securely atomized one that OPFS by design cannot secure.
I get that the paper has discovered a flaw, but I don’t see how it is unmitigatable, it’s still a sandboxed filesystem at the end of the day, rate smoothing and noise insertion seem like fairly obvious first steps and I’m far from an expert.
It’s like saying we should get rid of VPNs because they suffer the same kinds of side channel risk.
Why did you chop off the start of the sentence to make it look like I was saying the thing you were?
I was pointing out it’s a ridiculous thing to suggest
I mentioned threat remodeling for several reasons. One of them is, as designed OPFS fails every single one of your suggestions, and more.
So, an entire HPSA model needs to be redesigned, or stick to non HPSA whatsoever until further peer reviewed refuzzing has been made.
This type vectorization isn’t novel, it’s just hilarious vendors just accepted it without further security considerations.
Right, yes it definitely needs fixing, that’s what I’m saying. Then you veer off into saying we should build it from scratch again? Why? There’s no apparent need for that given what you’ve said, you’re just describing what we do to fix the existing standard?
It’s the web, vendors don’t break existing APIs unless there’s no other option and from what you’ve written so far, the problem is in the implementation, not the API.
bruv, have you ever designed a fighter jet from a raft?
Because that is the equivalence of comparing OPFS is to a secured PostgreSQL query.
You cannot attain security from a raft, when fighter jets only need to drop bomps like a carpet to write on cities, and traverse microseconds of distances compared to whatever the wind is.
A postgres query is not a filesystem and also not intended at all for large binary blob storage and arbitrary range access? That’s an entirely different tool for completely different use cases.
The existing filesystem API (that the OPFS API appears to build on) is entirely reasonable for its intended use case, and is actually even more entrenched than OPFS given it exists for non-sandboxed uses, and has done for quite a long time. Remember, browser vendors will not break web APIs unless there’s no other option, for good reason.
I also feel like you keep shooting past the fact this is a side channel attack. It’s fairly reasonable to conclude any storage operation that hits the SSD could be used for this kind of thing. So basically any equivalent approach would require the same mitigations.
You’ve still not made any valid case for your claim that it’s insecure by design.
Just so we can draw this to a close: please explain, specifically and succinctly, which fixes you would make and why specifically the existing OPFS is fundamentally incompatible with your suggestions.
So far there has been nothing like that in this thread, just hand waving and it’s insecure by design, just trust me bro
As demonstrated in the paper, OPFS enables attackers to read more than just browsing habits, but also solid state gates’ data.
Meaning, if vendors require HPSA, they will need to redesign their entire threat model to an isolated securely atomized one that OPFS by design cannot secure.
I get that the paper has discovered a flaw, but I don’t see how it is unmitigatable, it’s still a sandboxed filesystem at the end of the day, rate smoothing and noise insertion seem like fairly obvious first steps and I’m far from an expert.
It’s like saying we should get rid of VPNs because they suffer the same kinds of side channel risk.
I mentioned threat remodeling for several reasons. One of them is, as designed OPFS fails every single one of your suggestions, and more.
So, an entire HPSA model needs to be redesigned, or stick to non HPSA whatsoever until further peer reviewed refuzzing has been made.
This type vectorization isn’t novel, it’s just hilarious vendors just accepted it without further security considerations.
🤝🤣
Why did you chop off the start of the sentence to make it look like I was saying the thing you were?
I was pointing out it’s a ridiculous thing to suggest
Right, yes it definitely needs fixing, that’s what I’m saying. Then you veer off into saying we should build it from scratch again? Why? There’s no apparent need for that given what you’ve said, you’re just describing what we do to fix the existing standard?
It’s the web, vendors don’t break existing APIs unless there’s no other option and from what you’ve written so far, the problem is in the implementation, not the API.
bruv, have you ever designed a fighter jet from a raft?
Because that is the equivalence of comparing OPFS is to a secured PostgreSQL query.
You cannot attain security from a raft, when fighter jets only need to drop bomps like a carpet to write on cities, and traverse microseconds of distances compared to whatever the wind is.
OPFS is insecure by design.
A postgres query is not a filesystem and also not intended at all for large binary blob storage and arbitrary range access? That’s an entirely different tool for completely different use cases.
The existing filesystem API (that the OPFS API appears to build on) is entirely reasonable for its intended use case, and is actually even more entrenched than OPFS given it exists for non-sandboxed uses, and has done for quite a long time. Remember, browser vendors will not break web APIs unless there’s no other option, for good reason.
I also feel like you keep shooting past the fact this is a side channel attack. It’s fairly reasonable to conclude any storage operation that hits the SSD could be used for this kind of thing. So basically any equivalent approach would require the same mitigations.
You’ve still not made any valid case for your claim that it’s insecure by design.
Just so we can draw this to a close: please explain, specifically and succinctly, which fixes you would make and why specifically the existing OPFS is fundamentally incompatible with your suggestions.
So far there has been nothing like that in this thread, just hand waving and it’s insecure by design, just trust me bro