RE: Comments/Questions on Media Capture Streams – Privacy and Security Considerations from Mathieu Hofman on 2015-10-27 (public-privacy@w3.org from October to December 2015)

From: Mathieu Hofman <Mathieu.Hofman@citrix.com>
Date: Tue, 27 Oct 2015 01:53:10 +0000
To: Nick Doty <npdoty@w3.org>, Eric Rescorla <ekr@rtfm.com>
CC: Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <3CD080DCDA030D47B8ED720F6B99FC810D54B79C@SJCPEX01CL02.citrite.net>

> From: Nick Doty [mailto:npdoty@w3.org]
> Sent: Monday, October 26, 2015 17:22
> To: Eric Rescorla <ekr@rtfm.com>
> Cc: Martin Thomson <martin.thomson@gmail.com>; Mathieu Hofman
> <Mathieu.Hofman@citrix.com>; Harald Alvestrand <harald@alvestrand.no>;
> public-media-capture@w3.org; public-privacy (W3C mailing list) <public-
> privacy@w3.org>
> Subject: Re: Comments/Questions on Media Capture Streams – Privacy and
> Security Considerations
> 
> I'm not sure the situations are analogous. Large web sites that handle credit
> card numbers or store personal information as part of their business are
> likely aware of the security implications, more than a website developer who
> once added a bit of JavaScript to take a user's picture. Ongoing surreptitious
> access to camera and microphone on someone's device is potentially much
> more harmful to the user than access to her credit card number and an
> annoying call with her bank's anti-fraud division. And the problem with the
> persisted permission in this case is that the threat exists for all users for all
> time in the future, even if the XSS bug isn't introduced or discovers until
> months or years later. And it's not just XSS, but if you have any bug where
> URL parameters can indicate a participant in a video chat (likely to be a
> common model) or any variation on a session fixation attack.
> 
> What we're saying is that every XSS or related security bug you have in the
> future, in addition to having security implications for your site's business, will
> also expose every previous user of your site to video and audio surveillance.
> It's not, "using this API involves sensitive data, so audit to find security bugs
> when you're using it", but rather "if you ever used this, you have to commit
> to perfect security diligence in perpetuity."
> 
> At the least, I think Mathieu's suggestion about CSP might be useful in
> updating that section of the spec. We could give more specific
> recommendations about use of CSP and maybe user agents can take that
> signal into account when determining whether to grant a permission based
> on a prior granting.

Actually I'm coming back on my original idea. I don't think CSP can be of any help, now that I realize CSP can be added to a compromised page using html meta element.

Mathieu

Received on Tuesday, 27 October 2015 01:53:40 UTC