Best way to refute my argument is to provide some references where JWT was unsafe or local storage was compromised.
Instead you are still continuing the FUD and throwing a bunch of other accomplished people's names and complicated crypto words and "security community" to bring credibility to your arguments.
I think you should talk about this to some other experienced people at your work place. People with serious qualifications disagree with your assessment of the topic at hand.
And, re: when is local storage compromised... Read through OWASP top 10: owasp.org/images/7/72/OWASP_Top_10... (XSS has been one of the top 10 web exploits since 2013 and likely far before).
The first link says "This article does not argue that you should never use JWT". but you are confidently advocating everyone not to use JWT at all.
The other links do not show any vulnerabilities in either local storage or use of JWT tokens. They are talking about specific cases of using bad encryption mechanisms with JWT payload.
If you have XSS in your setup, using local storage is least of your concerns.
The links you posted are related to security. None of them support your argument that local storage and JWT are bad.
The first link describes what is talked about in this post. Using JWTs for web auth is not optimal and causes a lot of issues.
The other links talk specifically about weaknesses in JWTs as a protocol, implementation issues, and real security concerns with the spec.
The bit about OWASP + XSS is the main issue around local storage, since it's something difficult to prevent, even when you're using CSP, which I explained in depth in this article itself.
I'm not certain what more you are looking for =/ The usage of JWTs for web authentication tokens is not ideal, and even for valid use cases of JWTs they are not optimal to use due to security issues with the protocol (as well as many popular implementations) you would be better served using alternative token types which avoid JWT issues.
In short:
It is not recommended to store sensitive data in local storage due to wide prevalence of XSS and the difficulty of preventing XSS
JWTs are not recommended due to spec issues, poor encryption and signing algorithm choices, complex specs that make developing JWT libraries challening, and flexibility in algorithm usage which allows web developers to easily mess up important implementations
You are able to talk around the topic in circles while missing the whole point. You are advocating people not to use local storage and JWT tokens based on nothing credible or nothing concrete. You are misleading a lot of people with your story.
There are perfect legitimate use cases for JWT and Local storage. They are very useful tools.
There are no spec issues with JWT and you can use JWT without encryption.
XSS is not an issue with local storage.
Please stop the FUD.
You do not have to explain anything, If what you say is credible and has any merit, people will make up their mind.
What you are saying is directly contrary to what is outlined in those links I supplied.
I'd love to have a more in depth convo at some point. I'd you're interested in continuing the conversation please hit me up: r@rdegges.com. I'd be happy to talk about spec issues in more depth, or issues with architecture as outlined above.
Really open to whatever! It's a complex topic, and fun to look at.
Best way to refute my argument is to provide some references where JWT was unsafe or local storage was compromised.
Instead you are still continuing the FUD and throwing a bunch of other accomplished people's names and complicated crypto words and "security community" to bring credibility to your arguments.
I think you should talk about this to some other experienced people at your work place. People with serious qualifications disagree with your assessment of the topic at hand.
Here are some good resources to read through:
And, re: when is local storage compromised... Read through OWASP top 10: owasp.org/images/7/72/OWASP_Top_10... (XSS has been one of the top 10 web exploits since 2013 and likely far before).
Did you even read these blogs you linked to?
The first link says "This article does not argue that you should never use JWT". but you are confidently advocating everyone not to use JWT at all.
The other links do not show any vulnerabilities in either local storage or use of JWT tokens. They are talking about specific cases of using bad encryption mechanisms with JWT payload.
If you have XSS in your setup, using local storage is least of your concerns.
The links you posted are related to security. None of them support your argument that local storage and JWT are bad.
Yes -- they do.
The first link describes what is talked about in this post. Using JWTs for web auth is not optimal and causes a lot of issues.
The other links talk specifically about weaknesses in JWTs as a protocol, implementation issues, and real security concerns with the spec.
The bit about OWASP + XSS is the main issue around local storage, since it's something difficult to prevent, even when you're using CSP, which I explained in depth in this article itself.
I'm not certain what more you are looking for =/ The usage of JWTs for web authentication tokens is not ideal, and even for valid use cases of JWTs they are not optimal to use due to security issues with the protocol (as well as many popular implementations) you would be better served using alternative token types which avoid JWT issues.
In short:
Not sure what else I can do to explain :o
You are able to talk around the topic in circles while missing the whole point. You are advocating people not to use local storage and JWT tokens based on nothing credible or nothing concrete. You are misleading a lot of people with your story.
There are perfect legitimate use cases for JWT and Local storage. They are very useful tools.
There are no spec issues with JWT and you can use JWT without encryption.
XSS is not an issue with local storage.
Please stop the FUD.
You do not have to explain anything, If what you say is credible and has any merit, people will make up their mind.
What you are saying is directly contrary to what is outlined in those links I supplied.
I'd love to have a more in depth convo at some point. I'd you're interested in continuing the conversation please hit me up: r@rdegges.com. I'd be happy to talk about spec issues in more depth, or issues with architecture as outlined above.
Really open to whatever! It's a complex topic, and fun to look at.
looking back, this sure seems more like a hit piece from a shill than a legit criticism of jwts