1

We have a web application that puts a private key in LocalStorage, which enables users to sign off certain messages. It's been working fine until today we saw this announcement from Apple.

The TLDR; version is that now there is a "7-Day Cap on All Script-Writeable Storage". If the user does not interact with your web application for 7 days then everything gets wiped. Everything is,

  • Client-side cookies
  • Indexed DB
  • LocalStorage
  • Media keys
  • SessionStorage
  • Service Worker registrations

We understand that Apple is doing this to curb cross-site tracking, but it kills our use case. Any ideas? We would really like to avoid requiring users install a browser plugin, which we all know isn't very popular right now either due to the same privacy concerns.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
reedvoid
  • 113
  • 4

1 Answers1

1

It looks like the solution to this problem may be to add the application to the home screen. It seems that the author of the blog post that you referenced added clarification on this, after it was originally published. If you scroll down to the section 'A Note On Web Applications Added to the Home Screen', it reads:

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.

Related:
Apple: Relax, we're not totally screwing web apps. But yes, third-party cookies are toast
Sure, we'll delete local data after seven days but there's a way to avoid that
https://www.theregister.co.uk/2020/03/26/apple_relax_were_not_totally/

Last but not least, I hope you are using the Web Crypto API to store your private keys securely. See https://crypto.stackexchange.com/questions/35530/where-and-how-to-store-private-keys-in-web-applications-for-private-messaging-wi/52488#52488 for more info.

mti2935
  • 21,098
  • 2
  • 47
  • 66
  • 1
    I think the home screen thing isn't very helpful. 1/ I know of exactly zero people who actually use this feature. 2/ if I don't touch this application for 7 days even if it is on the home screen, the data will still get wiped. Am I missing something here? – reedvoid Mar 28 '20 at 00:20
  • The wording in the article could be clearer, but I'm not interpreting it the way that you are with regard to 2/, especially in light of the second paragraph that I copied above. I agree with you on 1/, but I'm not sure there is any other solution, short of the user storing their keys outside of the application, or something similar to the way that ProtonMail does it. – mti2935 Mar 28 '20 at 00:47
  • How does ProtonMail do it? Right now I am trying to figure something out around deriving (or partially deriving) a new secret key based on the user's password. I'm not a crypto expert but wonder if there's some way to prove linkage between different secret keys so that I can associate keys together somehow - like yes these signatures are from 20 different key pairs but I can prove to you that they are related somehow. Maybe this is a question for the cryptography forum. – reedvoid Mar 28 '20 at 07:36
  • OK I found an explanation of Protonmail here: https://security.stackexchange.com/questions/58541/how-are-protonmail-keys-distributed. But they run into the problem of user forgetting their password... after that still no way to link different signatures. – reedvoid Mar 28 '20 at 07:54
  • 1
    With regard to, ' I wonder if there's some way to prove linkage between different secret keys so that I can associate keys together somehow - like yes these signatures are from 20 different key pairs but I can prove to you that they are related somehow' - You can sign the public keys of the 20 key pairs, using the private key of the master key pair. Then, these signatures, along with the public key of the master key pair, show that all 20 key pairs were signed using the master key, so they are related. – mti2935 Mar 28 '20 at 11:24