I started wondering about the security model of WebCrypto non-extractable keys, and eventually became even more confused about the fundamental security model of WebCrypto itself. I am not debating the theoretical aspect, but curious whether WebCrypto is even a viable option when we try to build practical apps in the real world.
First of all, I understand that people recommend using non-extractable keys because non-extractable keys are secure because they cannot be exported. But I think many people would WANT to export their keys at some point if they don't want to risk losing everything.
For example, if you stored all your app data encrypted using a WebCrypto non-extractable key and can't export the key, this means you lose access to all your encrypted data when your indexedDB gets wiped out for some reason, or even worse, if your entire computer gets wiped out or the disk gets corrupted (This is not an impossible scenario. For example when you send off your problematic macbook to Apple for repair, they say I should back up everything in case something goes wrong)
This is just encrypt/decrypt scenario, but I'm sure there are same types of issues with sign/verifying messages. If I want to use crypto as my identity by signing messages, why would I want to use a key that even I cannot access and export myself, so I can only use that key on that specific browser on that specific device?
So I guess this is a four part question (Notice that these questions are all about whether it's possible to build practical and secure apps with good UX using WebCrypto by storing things in the browser, and not about whether WebCrypto itself is secure):
- What are the actual use cases for non-exportable keys? Why would people want to go that far while risking key losses?
- Don't most people want to be able to reuse and back up their keys, especially since they're used for identity and encryption purposes?
- If #2 is true, and there is no way to securely store extractable keys inside a browser, how do people build a secure app using WebCrypto?
- Finally, isn't storing keys on the browser fundamentally insecure whether extractable or not? Even if the key cannot be exported, a website sign a message on behalf of the user (or decrypt a message intended for the user and send it to their server) without the user knowing, and that's a huge security issue.