- From: <bugzilla@jessica.w3.org>
- Date: Fri, 14 Dec 2012 09:33:54 +0000
- To: public-audio@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=17417 --- Comment #7 from Jussi Kalliokoski <jussi.kalliokoski@gmail.com> --- (In reply to comment #6) > (In reply to comment #5) > > I agree that the word should be "SHOULD". After all, it's the ideal, and > > "SHOULD" still isn't "MUST". > > It's true, SHOULD isn't MUST - but I've become much less convinced there's a > real fingerprinting issue here, particularly since Java has had unprompted > MIDI support for a vary long time Yes, Java is quite well-known for its security features... Hahaha, sorry, that fruit was hanging way too low for me to resist. > and the exploits would be VERY uncommon > and very equipment-dependent. I'm exploring internally with security folks > to get their sense, but I don't think that the UA SHOULD prompt the user in > the default case. I agree with you on exploits, they're likely to be a very uncommon and relatively meaningless, but they're still exploits. The last thing we need is more attack-vector surface on the web. As for fingerprinting, if the default is not to ask, we void every other working group's often extreme efforts to avoid user fingerprinting and practically give the user's identity on a plate to anyone who wants to take it. That is, if they have any distinguishable MIDI devices. The main reason Java's MIDI API isn't used for fingerprinting often is that it's not very subtle (you want fingerprinting to be subtle). Add that to the fact that just the MIDI information isn't enough to form a reliable pool of entropy to identify users (usually), and it's not a very tempting choice. However, if the user doesn't even notice that you're getting the info, it's a very nice source of entropy. We don't want to add a freebie to the already-too-large pool of entropy each user carries with their browsing session. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Friday, 14 December 2012 09:34:01 UTC