Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Eric Rescorla on 2015-10-27 (public-media-capture@w3.org from October 2015)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 Oct 2015 06:45:09 -0400
To: Nick Doty <npdoty@w3.org>
Cc: Mathieu Hofman <Mathieu.Hofman@citrix.com>, Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABcZeBMSO2ffFvLC4eOg+=x2-ZOOjtzHUE_EDkxy6802ebA8og@mail.gmail.com>

On Tue, Oct 27, 2015 at 1:44 AM, Nick Doty <npdoty@w3.org> wrote:

> On Oct 27, 2015, at 10:53 AM, Mathieu Hofman <Mathieu.Hofman@citrix.com>
> wrote:
>
> What we're saying is that every XSS or related security bug you have in the
> future, in addition to having security implications for your site's
> business, will
> also expose every previous user of your site to video and audio
> surveillance.
> It's not, "using this API involves sensitive data, so audit to find
> security bugs
> when you're using it", but rather "if you ever used this, you have to
> commit
> to perfect security diligence in perpetuity."
>
> At the least, I think Mathieu's suggestion about CSP might be useful in
> updating that section of the spec. We could give more specific
> recommendations about use of CSP and maybe user agents can take that
> signal into account when determining whether to grant a permission based
> on a prior granting.
>
>
> Actually I'm coming back on my original idea. I don't think CSP can be of
> any help, now that I realize CSP can be added to a compromised page using
> html meta element.
>
>
> That certain attackers can add CSP policies doesn't prevent their
> usefulness in this area. What we're concerned about is whether a
> previously-provided permission grant for getUserMedia can be safely relied
> on for later access to camera/microphone without a permission prompt. If a
> CSP policy is in place when getUserMedia was first used by a site and is
> still in place, then the browser can be provided some confidence that a
> permission still makes sense and is relatively less likely to be a XSS
> attack.
>

Wait, now you want the browser to *persist* the CSP policy and check
that the same policy is still in place? That's totally infeasible, if only
for the obvious reason that either (a) we check that the CSPs are
identical in which case we'll get all kinds of false positives or
(b) we have to do some kind of "substantively the same" check.


If you called getUserMedia on your small site and don't have a CSP policy
> and someone later finds an XSS attack, the lack of a CSP might be an
> indicator for the user agent not to persist the permission request.
>

But again, since the attacker can *inject* CSP of his own, any check that
relies on the existence of CSP is trivial to circumvent.

-Ekr

Received on Tuesday, 27 October 2015 10:46:19 UTC