I understand what you're getting at here, but I strongly disagree. I'm one of many people actively involved in the security community with this viewpoint.
The creators of the JWT spec itself, for instance, did not design it for the way it is being used in web apps described here. There are TONS of resources written by cryptographers (like DJB), security professionals, etc., all pointing to the massive holes and problems that using JWTs and storing tokens in local storage can cause.
It's not just me.
The biggest problem I see is that there is so much misinformation around advocating using these things. This is a big problem.
This article is just one of many which showcase some of the issues with all the insecure recommendations made amongst the general web development community.
I strongly urge you to read through all the other resources out there which have more to say on this topic. Not only does OWASP recommend against using local storage (which was the point of this article), but there are a PLETOHORA of reasons why you don't want to use JWTs AT ALL! The spec itself has SERIOUS issues and has been widely criticized by the security/cryptography community.
The underlying crypto options themselves have a million issues that cannot be easily resolved, and that's all BESIDES the portion this article talks about, which is just the high level architecture/storage piece.
Best way to refute my argument is to provide some references where JWT was unsafe or local storage was compromised.
Instead you are still continuing the FUD and throwing a bunch of other accomplished people's names and complicated crypto words and "security community" to bring credibility to your arguments.
I think you should talk about this to some other experienced people at your work place. People with serious qualifications disagree with your assessment of the topic at hand.
And, re: when is local storage compromised... Read through OWASP top 10: owasp.org/images/7/72/OWASP_Top_10... (XSS has been one of the top 10 web exploits since 2013 and likely far before).
The first link says "This article does not argue that you should never use JWT". but you are confidently advocating everyone not to use JWT at all.
The other links do not show any vulnerabilities in either local storage or use of JWT tokens. They are talking about specific cases of using bad encryption mechanisms with JWT payload.
If you have XSS in your setup, using local storage is least of your concerns.
The links you posted are related to security. None of them support your argument that local storage and JWT are bad.
The first link describes what is talked about in this post. Using JWTs for web auth is not optimal and causes a lot of issues.
The other links talk specifically about weaknesses in JWTs as a protocol, implementation issues, and real security concerns with the spec.
The bit about OWASP + XSS is the main issue around local storage, since it's something difficult to prevent, even when you're using CSP, which I explained in depth in this article itself.
I'm not certain what more you are looking for =/ The usage of JWTs for web authentication tokens is not ideal, and even for valid use cases of JWTs they are not optimal to use due to security issues with the protocol (as well as many popular implementations) you would be better served using alternative token types which avoid JWT issues.
In short:
It is not recommended to store sensitive data in local storage due to wide prevalence of XSS and the difficulty of preventing XSS
JWTs are not recommended due to spec issues, poor encryption and signing algorithm choices, complex specs that make developing JWT libraries challening, and flexibility in algorithm usage which allows web developers to easily mess up important implementations
You are able to talk around the topic in circles while missing the whole point. You are advocating people not to use local storage and JWT tokens based on nothing credible or nothing concrete. You are misleading a lot of people with your story.
There are perfect legitimate use cases for JWT and Local storage. They are very useful tools.
There are no spec issues with JWT and you can use JWT without encryption.
XSS is not an issue with local storage.
Please stop the FUD.
You do not have to explain anything, If what you say is credible and has any merit, people will make up their mind.
What you are saying is directly contrary to what is outlined in those links I supplied.
I'd love to have a more in depth convo at some point. I'd you're interested in continuing the conversation please hit me up: r@rdegges.com. I'd be happy to talk about spec issues in more depth, or issues with architecture as outlined above.
Really open to whatever! It's a complex topic, and fun to look at.
Hey there,
Thanks for leaving a comment!
I understand what you're getting at here, but I strongly disagree. I'm one of many people actively involved in the security community with this viewpoint.
The creators of the JWT spec itself, for instance, did not design it for the way it is being used in web apps described here. There are TONS of resources written by cryptographers (like DJB), security professionals, etc., all pointing to the massive holes and problems that using JWTs and storing tokens in local storage can cause.
It's not just me.
The biggest problem I see is that there is so much misinformation around advocating using these things. This is a big problem.
This article is just one of many which showcase some of the issues with all the insecure recommendations made amongst the general web development community.
I strongly urge you to read through all the other resources out there which have more to say on this topic. Not only does OWASP recommend against using local storage (which was the point of this article), but there are a PLETOHORA of reasons why you don't want to use JWTs AT ALL! The spec itself has SERIOUS issues and has been widely criticized by the security/cryptography community.
The underlying crypto options themselves have a million issues that cannot be easily resolved, and that's all BESIDES the portion this article talks about, which is just the high level architecture/storage piece.
Best way to refute my argument is to provide some references where JWT was unsafe or local storage was compromised.
Instead you are still continuing the FUD and throwing a bunch of other accomplished people's names and complicated crypto words and "security community" to bring credibility to your arguments.
I think you should talk about this to some other experienced people at your work place. People with serious qualifications disagree with your assessment of the topic at hand.
Here are some good resources to read through:
And, re: when is local storage compromised... Read through OWASP top 10: owasp.org/images/7/72/OWASP_Top_10... (XSS has been one of the top 10 web exploits since 2013 and likely far before).
Did you even read these blogs you linked to?
The first link says "This article does not argue that you should never use JWT". but you are confidently advocating everyone not to use JWT at all.
The other links do not show any vulnerabilities in either local storage or use of JWT tokens. They are talking about specific cases of using bad encryption mechanisms with JWT payload.
If you have XSS in your setup, using local storage is least of your concerns.
The links you posted are related to security. None of them support your argument that local storage and JWT are bad.
Yes -- they do.
The first link describes what is talked about in this post. Using JWTs for web auth is not optimal and causes a lot of issues.
The other links talk specifically about weaknesses in JWTs as a protocol, implementation issues, and real security concerns with the spec.
The bit about OWASP + XSS is the main issue around local storage, since it's something difficult to prevent, even when you're using CSP, which I explained in depth in this article itself.
I'm not certain what more you are looking for =/ The usage of JWTs for web authentication tokens is not ideal, and even for valid use cases of JWTs they are not optimal to use due to security issues with the protocol (as well as many popular implementations) you would be better served using alternative token types which avoid JWT issues.
In short:
Not sure what else I can do to explain :o
You are able to talk around the topic in circles while missing the whole point. You are advocating people not to use local storage and JWT tokens based on nothing credible or nothing concrete. You are misleading a lot of people with your story.
There are perfect legitimate use cases for JWT and Local storage. They are very useful tools.
There are no spec issues with JWT and you can use JWT without encryption.
XSS is not an issue with local storage.
Please stop the FUD.
You do not have to explain anything, If what you say is credible and has any merit, people will make up their mind.
What you are saying is directly contrary to what is outlined in those links I supplied.
I'd love to have a more in depth convo at some point. I'd you're interested in continuing the conversation please hit me up: r@rdegges.com. I'd be happy to talk about spec issues in more depth, or issues with architecture as outlined above.
Really open to whatever! It's a complex topic, and fun to look at.
looking back, this sure seems more like a hit piece from a shill than a legit criticism of jwts