W3C home > Mailing lists > Public > public-web-intents@w3.org > July 2012

RE: Explicit intents privacy concern

From: Deepanshu Gautam <deepanshu.gautam@huawei.com>
Date: Tue, 24 Jul 2012 00:51:33 +0000
To: Greg Billock <gbillock@google.com>, "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>
CC: "paulkinlan@google.com" <paulkinlan@google.com>, "public-web-intents@w3.org" <public-web-intents@w3.org>
Message-ID: <DA22857AC9F15C469BB47FE88C020129423C4F61@szxeml547-mbx.china.huawei.com>
The client site (Image Manager) may not be hostile but the service site (Image Editor) it send my data to, can be something I *don't like* or something I don't trust. As long as my data is with client site it is not compromised.


Regards

Deepanshu Gautam
Senior Engineer, Service Standards, Huawei
O: +86 25 56620008 M: +8613585147627

> -----Original Message-----
> From: Greg Billock [mailto:gbillock@google.com]
> Sent: Tuesday, July 24, 2012 4:59 AM
> To: Frederick.Hirsch@nokia.com
> Cc: paulkinlan@google.com; public-web-intents@w3.org
> Subject: Re: Explicit intents privacy concern
> 
> Sure, but the attacker here is the client site -- which by definition
> already has the data. The point being, if that site is hostile, the
> data is already compromised before an intent is ever invoked.
> 
> On Mon, Jul 23, 2012 at 1:29 PM,  <Frederick.Hirsch@nokia.com> wrote:
> > Yes, the major concern is that the data reaches a site without user consent
> or involvement.
> >
> > The approach discussed in the face - face, the "speed bump" , is not to pass
> the data with this initial connection, allow a user to go "back" without
> sharing data
> >
> >
> > regards, Frederick
> >
> > Frederick Hirsch
> > Nokia
> >
> >
> >
> > On Jul 23, 2012, at 2:20 AM, ext Paul Kinlan wrote:
> >
> >> My general thought would be that this is mitigated by the fact that we can
> deliver data asynchronously, and if required get the users approval to let the
> data in to the service app.
> >>
> >> I think some of the worry is that I am don't have the service installed,
> because I don't know where the data is going when I click on the button in a
> client page, it might open up Facebook or G+ and I might find that my data
> being visible to these abhorent, it might be worse to the user if the service
> invoked is a site that is completely untrusted.
> >>
> >> P
> >
Received on Tuesday, 24 July 2012 00:53:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 24 July 2012 00:53:27 GMT