- From: Jan-Ivar Bruaroey <jib@mozilla.com>
- Date: Thu, 09 Oct 2014 09:29:41 -0400
- To: Eric Rescorla <ekr@rtfm.com>, Anne van Kesteren <annevk@annevk.nl>
- CC: Justin Uberti <juberti@google.com>, Stefan HÃ¥kansson LK <stefan.lk.hakansson@ericsson.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
On 10/8/14, 9:56 AM, Eric Rescorla wrote: > It is not generally true that *passive* network attackers will be able > to watch > or listen to users in real-time, even if gUM is used without an > authenticated > origin. The reason for this is that gUM merely makes a media stream > available to the JS, but doesn't send it anywhere other than the local > machine. In order for the media stream to be transmitted over the > network, it must either be: > > 1. Sent over connection established via PeerConnection. All of these are > encrypted using an end-to-end key establishment mechanism that is > intended to resist passive attackers. This is the way that all WebRTC > calling and conferencing type apps work. > > 2. Recorded via the Recording API and then directly exfiltrated. This > might or might not be over HTTPS > > Note that there are a number of applications (e.g., recording studio, > 2-d bar code readers, etc.) that can be implemented purely on the > user's computer without pushing any data to the server. This is an interesting point. If the recording API were to be limited to authenticated origins, it means unauthenticated gUM is effectively safe from *passive* attacks already. OTOH, couldn't an *active* MitM script injection use peerConnection to send user-prompted-and-granted camera+mic securely to the attacker today? .: Jan-Ivar :.
Received on Thursday, 9 October 2014 13:30:09 UTC