Firefox Offline
There are a number of interesting things happening at the same time but today I am going to talk about Firefox3 offline support and how it can change the way we perceive web applications. Keep in mind that this post is a pure speculation. Firefox3 is noware complete, so we should really talk about problems that don’t exist.
It is kind of official that Firefox3 will support offline applications. This means that we, as users, can use applications such as GMAIL or Google Calendar without the need of being connected. This is quite good thing in situations where you don’t have web access but you still want to check your calendar, maybe even update it, write a draft email and check the 20 most recent entries in your inbox. All the changes that you perform offline will be synchronized with your online profile as soon as you connect.
This is very nice but it raises a few concerns about the offline applications integrity and security. The first point that I want to bring is that if a web application can work offline, for sure web malware can do the same. Moreover, offline web malware might be able permanently cripple offline web application with spyware functionalities and other malicious tools.
Here is a simple example of how this feature can be abused. Again, this article is pure speculation. If GMAIL is affected by some kind of Cross-site scripting vulnerability, can the attacker permanently plug malicious code inside the application offline source base. The browser cannot really differentiate between malicious and non-malicious code, which means that, in theory, this can happen.
So, what the attacker can do if they succeed? Well, it depends. However, given the fact that the malicious code is part of the application, attackers can definitely control not only the offline application logical flow but also the synchronisation and local storage facilities. This sounds dangerous.
Offline web applications, although executed straight from the browser are like desktop applications. I mentioned on a number of occasions that bridging web with the desktop, in general, is not good idea, although I can clearly see how useful and beneficial that could be. Browsers will support offline applications no matter what. Firefox3 is ahead of the game. IE, Opera and Safari are somewhere behind, but I am sure that they will catch up.
Here is one interesting thing.
Although Mozilla is an open source organization, some of its top workers are employed by Google. So it’s a very cozy relationship. We’ve discussed before how Firefox 3 as information broker suits Google very nicely, because the Mountain View company has a number of best of breed web apps - and if it’s not building them, it’s acquiring them (YouTube, JotSpot, Writely, etc). readwriteweb
comments
Good stuff to think about. However we’re trying hard to keep the security model the same as the existing online model.
For example, we won’t allow offline apps to run “in the background” any more than we allow online apps to do so. On the downside this means you must explicitly visit the application page to resync when you get back online; on the upside, malware wouldn’t be able to run invisibly.
Furthermore, the offline cache that stores offline application resources is just a cache and it’s only used when you’re offline. When you’re online the application will run using normal HTTP caching mechanisms and offline-cache resources will be revalidated against the online source. So I don’t think this opens any new avenues of attack that don’t exist with existing browser caching, unless we stuff up our implementation somehow.
Not knowing all that more than you either, I think the technical base for this is simply a facility for web apps to store more complex data on disk than cookies. localstore.rdf, sqlite table, doesn’t matter, it simply gets some space to write text and XML and whatnot in. Combine with smart cache and Boom you have your offline web apps. No increased privileges needed.
This, the extend of a XSS would still be the same as today: The attacker can control gmail and the data in there, but nothing else.
Robert, Ben,
Thanks for the comments. As I mentioned, it is very early to talk about possible problems in FF offline support, however, am I right by saying that if web applications can cache so do web malware? Also, I am interested to know how the offline state in web applications is defined. Is an application offline when there is no access to the remote server, or is it offline when the network cable is unplugged? It makes a big difference.
In simple words, attackers might be able to cache malware code and call it when it is needed. This is a problem because it removes the need for external servers to host the malicious code.
I can come up with dozens of other questions like this. We need to seriously think about the security implications involved in this feature.
Here is another interesting question: will FF3 allow caching of offline applications from https://. If that is the case, isn’t that a security problem? if this offline http:// application contains sensitive information, attackers might be able to read it and use it.
This is a huge problem if the user is checking their GMAIL from an Internet Cafe for example.