W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: WebRTC Security Assessment

From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 6 Nov 2014 10:35:23 -0500
Message-ID: <CAL02cgRe312aCvdmr7Ap1i4JkhNTo+XysS02K3eTxzeqTx1TrQ@mail.gmail.com>
To: Rigo Wenning <rigo@w3.org>
Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>, public-webappse@w3.org
I've just skimmed a couple parts of this paper, and I would advise readers
to be very cautious, since it makes some very inaccurate statements.  For
example, in Chapter 3:

"But unlike in Chrome, all permissions are only for the duration of the
session, that is, until the browser closes. There is no way to revoke a
permission, except by closing the browser."

This is false.  In Firefox 28 (which I assume is the antique version the
researchers tested), the permission endures only for the duration of a page
load.  Even navigating to another page in the same window destroys the
permission.  Current versions of Firefox offer an explicit revocation
option (by clicking the camera) to revoke without leaving the page.

--Richard


On Wed, Nov 5, 2014 at 4:47 PM, Rigo Wenning <rigo@w3.org> wrote:

> Hi all,
>
> as promised to some of you during TPAC, the STREWS project has published
> today the WebRTC Security Case Study. It was teamwork from the entire
> project, but special thanks go to Stephen Farrell for constantly
> cleaning and improving the document.
>
> The Document is published on the STREWS website under "results":
>
> http://www.strews.eu/results/91-d12
>
> For your convenience, here is the abstract:
>
> Built-in handling of Real Time Media (audio, video) on the web promises
> potentially significant change in telephony and in conference calling.
> The W3C WebRTC and IETF rtcweb working groups are developing the set of
> specifications that will allow browsers and web sites to support such
> calling and other functions. This is clearly a potentially security
> sensitive extension to the web, so STREWS has devoted effort on this
> topic as a case study to both attempt to improve the overall security of
> the result and to see if this approach holds promise as a way to improve
> interactions between researchers and standards makers and hence the
> overall security of the web. In this deliverable, we show some possibly
> new issues with WebRTC security discovered by researchers (from SAP)
> that the standards makers may not have considered. However, while this
> deliverable is, as a deliverable, final, the work itself goes on, partly
> involving discussions between the STREWS project and participants in the
> IETF and W3C so in technical terms this remains a work-in-progress.
>
> --
> Rigo Wenning (@rigow) - W3C Legal counsel
Received on Thursday, 6 November 2014 15:35:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC