Skip to content

Desktop Web Browser Client Configuration

Jump to bottom
wmiaw edited this page Nov 5, 2014 · 4 revisions

This configuration applies to desktop web browser clients on platforms that support HTML5 and the Web Cryptography API. Examples include Chrome Browser, Internet Explorer, and Safari.

Due to browser security policies, it is not possible to make use of HTTP traffic on a web page delivered over HTTPS. As a result a decision must be made regarding the delivery of the initial web page containing the JavaScript MSL stack and the data used to authenticate remote entities. If the initial web page is delivered over an untrusted HTTP channel the MSL stack and authentication data may be modified by a third party. In all cases the MSL stack and authentication data may be modified by the client user.

Additionally although the Web Crypto API does not allow unauthorized use or non-extractable keying material from being exposed to JavaScript either in the clear or wrapped with a requested key, the keying material is not necessarily protected from unauthorized use or exposure by avenues other than JavaScript.

Entity Authentication

The unauthenticated entity authentication scheme will be used. The entity identity will be a randomly generated value that is unlikely to collide. In the event of a collision, entity re-authentication will occur which will also trigger user re-authentication.

Although this scheme may allow entity identity harvesting and does allow spoofing, it is used to satisfy the desire to maintain the same identity if entity re-authentication must occur.

User Authentication

The Netflix ID cookies user authentication scheme will be used. It is assumed the user logged in to the Netflix service over SSL at a prior time.

If a user ID token already exists at application startup, the Netflix ID cookies will be included along with the user ID token in the first MSL message to perform a user verification. This is done to ensure the user identities are still in sync. If verification fails user re-authentication will occur using the Netflix ID cookies.

Key Exchange

The asymmetric wrapped key exchange scheme will be used with the JWEJS_RSA mechanism. The RSA key pair will be dynamically generated as needed.

A Netflix Original Production
Tech Blog | Twitter @NetflixOSS | Jobs

Clone this wiki locally