host-proof hosting

Think a minute about the security challenges involved in creating a health-centered social network. Or, more generally, any web application that has to handle sensitive user data. What if the database server becomes compromised? How do you make sure that, even if the database is stolen, your users' secrets remain confidential? How can any cloud computing application provide any significant measure of privacy?

At Clipperz they claim to have found the solution: they call it "zero-knowledge web applications". Since the term "zero knowledge" has a precise meaning in cryptography, that's a bit confusing. What Clipperz promotes boils down to evangelism for the "host-proof hosting" AJAX programming pattern.

client-side encryption

You still with me? It's a very simple concept, actually. Encrypt any sensitive data on the client-side browser before sending it to the web server. Data is never stored plaintext. Users can retrieve their data, in encrypted form, and only in their private browser is it decrypted and becomes accessible. Should the database server be compromised, an attacker finds only encrypted gibberish in the database.

Wow! Total privacy in the cloud computing age! Why don't we rewrite all our web applications to use this neat trick? Yes, why don't we? Read on to find several answers to that question.

crippled technology

As a programmer, you need access to the data you're manipulating. That's what programming is about: performing operations on data. If the data is protected by a wall of encryption on the client side, that means I can't manipulate it in any meaningful way on the server side. I'll have to do all serious programming on the client side, in JavaScript. That presents several serious drawbacks:

Flaky programming platform: Like any veteran of the browser wars, I've learned to deeply distrust (and dislike) web browsers as a client-side programming platform. We've seen it with Java: write once, debug everywhere. JavaScript has an even more checkered history of browser incompatibilities and bugs.
Data doesn't belong in the GUI: AJAX is very nice for fetching data and plugging them into a display. Nothing wrong with that. However, actually handling those data should be done at the server side, where the database environment is. It's no coincidence that the available JavaScript frameworks are all geared mainly towards display manipulation: that's what this technology was made for.
Crippled databases, crippled applications: Reducing a database to merely a diskspace to put encrypted bytes in, severely cripples your ability to do something actually interesting in your web application. No relation between user data is possible. No indexing and searching.
Isolated data, isolated users: There's no point in creating a social network, if people can't even share their interests, since those are closely held in each user's private browser.
Usability problems: The decryption pass-phrase key is held in memory by the client browser but gets lost on page refresh. This means you'll either have to re-request the pass-phrase on each page, or write a pure-AJAX application that doesn't do any page refreshes at all, which triggers significant usability disadvantages.

broken trust model

Apart from these technical objections, the underlying philosophy also doesn't make sense. The basic idea is: don't trust web hosts. Nothing wrong with that, actually, it's a dangerous world out there. But then the proposed solution is: don't trust web hosts, trust web applications. Which may make sense in a purely theoretical sense if you're a geek and squeeze your eyes a bit. But which doesn't, in any meaningful way, translate into a practical solution, not even for a propeller head like yours truly.

First of all, non-techies don't distinguish between hosts and the software served by that host. And they certainly don't distinguish between data stored on the host and encrypted data, interleaved in the same GUI, processed by the same software. If the host is trustworthy, the software is also, right? And if the host isn't trustworthy, why would I even consider typing in my medical details into it's software?

Next, even if you're one of the three people who hasn't stopped reading this blog entry yet and understands the issues involved, how are you going to ensure that your confidential data is not surreptitiously sent out without your knowing? How are you going to trust the application, if you don't trust the host that's serving you the application code on each page? You're going to audit the full client-side JavaScript application manually? You're going to do that on each page reload, to see if they maybe injected some malicious script? You're going to set up an auditing service that alerts you if anything changes in the JavaScript application code tomorrow?

transforming the concept

In short, programming a host-proof hosting application creates more problems than it solves. It's against the grain in several respects:

It fosters user isolation in a web context that naturally seeks to connect users;
It violates basic MVC software architecture principles by pulling data processing into the GUI layer;
It tries to replace a well-understood trust mechanism (a host is a brand, for chrissake!) with an obscure alternative that just doesn't cut it.

However, if you ditch the threat model in which the web host is the user's adversary, new opportunities emerge. Envision a different threat model, in which user and web host cooperate to protect sensitive data against a third party adversary.

a confidential health care web application

Say, we have a health care context and wish to separate personally identifiable data (name, address, date of birth) from the actual health records (symptoms, diagnosis, treatment). The two data sets can only be connected by the user, which stores her own connection key safely encrypted through the algorithm described above. Additionally, the user provides the web host with a separate connection key for billing and/or emergency access. The web host connection key is protected by a one-way public key encryption.

In this scenario, the web host software can only connect the two data sets (addresses and medical) if a human operator of the web host provides the secret key that unlocks the connection. This secret key is not stored on the web host. Consequently, should the web host be compromised and the database stolen, a hacker will not be able to link address information to sensitive medical data. Only the user or the web host operator can make that connection, ensuring confidentiality.

Posted by Guido Stevens in web at 21:13 | Permalink | Comments (4) | Trackbacks (0)

Defined tags for this entry: ajax

, algorithm

, cloudcomputing

, encryption

, healthcare

, infosec

, privacy

, software

, technology

, web

, web20

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Great post, Guido! Made me think of Eric Rescorla's word that the most important function of a trust model is to assure that security doesn't become more expensive than it is worth. I like your solution with the separated data sets, that makes a lot of sense to me. Cheers Markus

#1 Markus Klems (Homepage) on 2008-07-06 17:37 (Reply)

We've been toiling away at Host-Proof Hosting since 2006 (I'm a Passpack founder), and it's great to see this discussion finally happening. --- You mentioned user isolation. Indeed, HPH naturally isolates. When bringing a typically offline tool (ex. password manager) online, we solve the ubiquitous access issue. But once online, it makes sense to use the web for what it's really worth, and that's collaboration. --- So that's the next thing we've tackled. We're in the process of implementing a solution for Shared Host-Proof Hosting: http://tinyurl.com/36lxhc --- Applications running HPH are fairly new, so as with any technique, they need a little time to overcome their own limits. I like the evolution of a shared responsibility system too. Have you implemented something like that yet?

#2 Tara Kelly (Homepage) on 2008-07-07 11:28 (Reply)

PS. On the "Zero Knowledge Application", I believe it's taking HPH in the wrong direction, it's taking it to a further extreme. We're preparing a post on this very subject right now.

#2.1 Tara Kelly (Homepage) on 2008-07-07 11:29 (Reply)

As the fellow who coined the term "Host-Proof Hosting", let me first say that the bulk of your criticisms are perfectly legitimate. It was almost ten years ago now that I first began working on the concept. Note that I don't claim to have "invented" it -- though the company I worked for at the time did in fact want to patent it! In any case, the original concept back in the late '90s was to use signed Java applets, which would be open sourced and signed either by independent auditors or by the customers themselves. That approach was specifically intended to deal with your fundamental issue of the trustworthiness of the code. Perhaps it is needless to say this, but I'll say it anyhow, we encountered lots of problems with this approach given the browsers that were in general use at the time and the Sun/Microsoft war over Java. When I wrote the blog posts back in 2005 that raised the idea of using AJAX to implement host-proof hosting, I suggested that this same approach could be used somewhat indirectly with javascript. I.e., customers could trust the javascript if an independent auditor could provide a digitally signed copy of the code and attest to the fact that it does nothing that could put your data at risk, and if the customer could installing a browser plug-in that is capable of validating that the hosting site's code matches the audited signed version. This is obviously far from ideal. The trust is there, but now there's a plug-in to deal with, which is undesirable. It is my understanding that Mozilla supports signed javascript, but I don't think IE does and I don't know about other browsers. Someday, maybe, we'll have that capability in all browsers, and then I think we'll have something that really makes javascript-based host-proof hosting practical from a security point of view. And by then maybe the usability drawbacks of a pure AJAX application will be dealt with, too. Anyhow, my concept of host-proof hosting never presumed that all data would have to be encrypted. The application that I was working on at the time could not have worked if that had been the case, because the back-end workflow system wouldn't have had access to the information that it needed. Still, the info we did want to encrypt was going to, at a minimum, make it a lot harder for our support staff, because they'd never be able to see everything that a customer sees. You've got a really interesting insight here that in many cases it's sufficient to use encryption only to protect a relation between two data sets. Hiding the minimal amount of information necessary to maintain security is a good guiding principle.

#3 Richard Schwartz (Homepage) on 2008-12-03 02:28 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.

Quicksearch

Powered by

Guido A.J. Stevens is internet entrepreneur. He holds an MBA and is co-founder and managing director of NFG Net Facilities Group: innovative open source internet solutions.

creative commons

Original content in this work is licensed under a Creative Commons License

Blog Administration

Open login screen

transcyberia.info

Static

Recent

Tags

Archives