Security and Privacy Threat Analysis for Solid

This paper provides an in-depth security and privacy analysis of the Solid protocol. Solid is a specification that allows user data to be stored decentralized in a personal online datastore (pod) independent from the application. This allows users to easily migrate to a different service and have more control over who data is shared with. We provide a comprehensive overview of the authentication, identification, and authorization protocols within Solid. We make use of the SPARTA threat modeling tool to assess the security and privacy aspects of Solid by modeling a realistic finance analytics application envisioned by the Solid community. This concrete use case allowed us to prioritize the residual threats in Solid. We employ methodologies such as STRIDE and LINDDUN for robust security and privacy threat modeling. The findings highlight the existence of several critical threats in the Solid specification. This is especially the case for privacy threats, which although it is an essential aspect of Solid, has so far not yet received enough attention, as our results indicate. These findings can be employed in future work to prioritize which residual threats to address and mitigate first.