loading...

re: Please Stop Using Local Storage VIEW POST

FULL DISCUSSION
 

This story creates so much FUD(Fear, Doubt and uncertainty) about a very common tool like Local Storage which is very essential for a lot of web applications.

Careful research on this topic will tell you that there are no known Local Storage vulnerabilities that lets some one else steal your data from the browser's local storage.

JWT is an awesome idea that works well for scaling many services.

Storing JWT tokens in local storage is perfectly alright.

Storing ids in Local storage is perfectly alright unless it is something like social security id. Even if some developer did store social security id on local storage, it is not so easy to steal that information from local storage unless the end user has malicious browser plugins. If the end user has malicious plugins then nothing will help.

There is a place for encrypted cookies, local storage, indexdb and server side session storage. There is no one size fits all approach to all problems. In many many cases, storing temporary data like ids and user preferences on that site are perfectly alright.

These ideas belong to the author and definitely not the employers, but I cannot help it, after reading this, I have a very poor opinion of the employer. I doubt I am the only one who thinks like that.

 

Hey there,

Thanks for leaving a comment!

I understand what you're getting at here, but I strongly disagree. I'm one of many people actively involved in the security community with this viewpoint.

The creators of the JWT spec itself, for instance, did not design it for the way it is being used in web apps described here. There are TONS of resources written by cryptographers (like DJB), security professionals, etc., all pointing to the massive holes and problems that using JWTs and storing tokens in local storage can cause.

It's not just me.

The biggest problem I see is that there is so much misinformation around advocating using these things. This is a big problem.

This article is just one of many which showcase some of the issues with all the insecure recommendations made amongst the general web development community.

I strongly urge you to read through all the other resources out there which have more to say on this topic. Not only does OWASP recommend against using local storage (which was the point of this article), but there are a PLETOHORA of reasons why you don't want to use JWTs AT ALL! The spec itself has SERIOUS issues and has been widely criticized by the security/cryptography community.

The underlying crypto options themselves have a million issues that cannot be easily resolved, and that's all BESIDES the portion this article talks about, which is just the high level architecture/storage piece.

 

Best way to refute my argument is to provide some references where JWT was unsafe or local storage was compromised.

Instead you are still continuing the FUD and throwing a bunch of other accomplished people's names and complicated crypto words and "security community" to bring credibility to your arguments.

I think you should talk about this to some other experienced people at your work place. People with serious qualifications disagree with your assessment of the topic at hand.

Here are some good resources to read through:

And, re: when is local storage compromised... Read through OWASP top 10: owasp.org/images/7/72/OWASP_Top_10... (XSS has been one of the top 10 web exploits since 2013 and likely far before).

Did you even read these blogs you linked to?

The first link says "This article does not argue that you should never use JWT". but you are confidently advocating everyone not to use JWT at all.

The other links do not show any vulnerabilities in either local storage or use of JWT tokens. They are talking about specific cases of using bad encryption mechanisms with JWT payload.

If you have XSS in your setup, using local storage is least of your concerns.

The links you posted are related to security. None of them support your argument that local storage and JWT are bad.

Yes -- they do.

The first link describes what is talked about in this post. Using JWTs for web auth is not optimal and causes a lot of issues.

The other links talk specifically about weaknesses in JWTs as a protocol, implementation issues, and real security concerns with the spec.

The bit about OWASP + XSS is the main issue around local storage, since it's something difficult to prevent, even when you're using CSP, which I explained in depth in this article itself.

I'm not certain what more you are looking for =/ The usage of JWTs for web authentication tokens is not ideal, and even for valid use cases of JWTs they are not optimal to use due to security issues with the protocol (as well as many popular implementations) you would be better served using alternative token types which avoid JWT issues.

In short:

  • It is not recommended to store sensitive data in local storage due to wide prevalence of XSS and the difficulty of preventing XSS
  • JWTs are not recommended due to spec issues, poor encryption and signing algorithm choices, complex specs that make developing JWT libraries challening, and flexibility in algorithm usage which allows web developers to easily mess up important implementations

Not sure what else I can do to explain :o

You are able to talk around the topic in circles while missing the whole point. You are advocating people not to use local storage and JWT tokens based on nothing credible or nothing concrete. You are misleading a lot of people with your story.

There are perfect legitimate use cases for JWT and Local storage. They are very useful tools.

There are no spec issues with JWT and you can use JWT without encryption.

XSS is not an issue with local storage.

Please stop the FUD.

You do not have to explain anything, If what you say is credible and has any merit, people will make up their mind.

What you are saying is directly contrary to what is outlined in those links I supplied.

I'd love to have a more in depth convo at some point. I'd you're interested in continuing the conversation please hit me up: r@rdegges.com. I'd be happy to talk about spec issues in more depth, or issues with architecture as outlined above.

Really open to whatever! It's a complex topic, and fun to look at.

looking back, this sure seems more like a hit piece from a shill than a legit criticism of jwts

code of conduct - report abuse