On Mon, Mar 16, 2015 at 5:10 AM, Aryeh Gregor <a...@aryeh.name> wrote:
> On Thu, Mar 12, 2015 at 9:42 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > > On 3/12/15 3:31 PM, Aryeh Gregor wrote: > >> > >> 2) Attacker opens a background tab and navigates it to http://b.com (I > >> can't think of a JavaScript way to do this, but if there isn't one, > >> making a big <a href="b.com" target=_blank> that covers the whole page > >> would work well enough) > > > > This is presuming user interaction. I agree that attacks that rely on > user > > interaction are also a problem here, but I'm _really_ scared by the > > potential of no-interaction needed attacks, which can happen when the > user > > is not even actively using the computer. Maybe it's just me. > > What's the use of taking a picture if the user isn't actively using > the computer? Also, the user will almost certainly return to the > computer at some point, and the attacker can probably wait till then. Lots of people have the cameras in their rooms pointing at them even when they are not using the computer, and so the camera can be used to spy on them (Again, I refer you to Checkoway's description of "ratting" [1]). This might be more obvious if you think about the microphone. I assume you can see the value of my remotely accessing the microphone on your phone even when you are not actively using it? > On Thu, Mar 12, 2015 at 10:53 PM, Eric Rescorla <e...@rtfm.com> wrote: > > Yes. User consent failure represents a large fraction of failures on > > video conferencing sites. > > Hmm. I guess I'm not qualified to say whether this is worth it, but > it still does scare me. Would these sites care if they have to be > HTTPS? They already have to be HTTPS. The background for this discussion is that getUserMedia() enforces the policy that Anne is proposing. > > > Also, continually prompting users for > > permissions weakens protections against users granting consent > > to malicious sites. > > > > See also Adam Barth's > > "Prompting the User Is a Security Failure" at > > http://rtc-web.alvestrand.com/home/papers > > Thoroughly agreed, and that is exactly what this proposal would do -- > make users click through lots of extra permissions dialogs. > I'm really confused by what you are arguing for, since the text that you quote is a response to you writing "Why isn't the user prompted before every picture is taken? Is there really a use-case for allowing a site to take pictures without the user's case-by-case permission that outweighs the privacy issues?" So I took from this that you wanted a consent prompt every time. What Anne is proposing (and I support) is that the browser be allowed to persist consent only on HTTPS sites (the details of when it would do so vary between APIs and between browsers, perhaps). This is the current state of play for getUserMedia (camera and microphone) but not for other APIs. How is it you believe that the browser should behave? -Ekr [1] https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/brock <https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/brocker> er _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
