On Mon, Mar 16, 2015 at 3:24 PM, Eric Rescorla <e...@rtfm.com> wrote: > Lots of people have the cameras in their rooms pointing at them even when > they are not using the computer, and so the camera can be used to spy on > them (Again, I refer you to Checkoway's description of "ratting" [1]). This > might be more obvious if you think about the microphone. I assume you can > see the value of my remotely accessing the microphone on your phone even > when you are not actively using it?
Yes, that makes it perfectly clear. Thank you. > They already have to be HTTPS. The background for this discussion is that > getUserMedia() enforces the policy that Anne is proposing. I was unaware of that. That sounds very reasonable. > I'm really confused by what you are arguing for, since the text that you > quote is a response to you writing > > "Why isn't the user prompted before every picture is taken? Is there > really a use-case for allowing a site to take pictures without the > user's case-by-case permission that outweighs the privacy issues?" > > So I took from this that you wanted a consent prompt every time. I want that for getUserMedia, yes. It scares me that even HTTPS sites are allowed to persist this permission, because server-side compromises are common. But if we have to allow it at all, it makes sense to limit the attack surface as much as possible, even if I'm not sure about how effective this measure is in preventing attacks in practice. > What Anne is proposing (and I support) is that the browser be allowed to > persist consent only on HTTPS sites (the details of when it would do > so vary between APIs and between browsers, perhaps). This is the current > state of play for getUserMedia (camera and microphone) but not for other > APIs. How is it you believe that the browser should behave? I think this makes sense for getUserMedia, at a minimum. I think other APIs need to be considered on a case-by-case basis, because this doesn't fully solve the security problem, annoys the user, and causes permissions-prompt fatigue. I don't think a blanket policy of only persisting any permissions over HTTPS is a good idea, e.g., for pop-ups. So I think I actually more or less agree with most people here after all. :) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
