W3C home > Mailing lists > Public > public-webrtc@w3.org > September 2011

Re: [rtcweb] Security and browser/screen access

From: Harald Alvestrand <harald@alvestrand.no>
Date: Mon, 26 Sep 2011 10:02:35 +0200
Message-ID: <4E80319B.2000109@alvestrand.no>
To: Randell Jesup <randell-ietf@jesup.org>
CC: "rtcweb@ietf.org" <rtcweb@ietf.org>, public-webrtc@w3.org
On 09/25/2011 11:48 PM, Randell Jesup wrote:
> This is an issue that impacts at a usecase we've been discussing: 
> access to the
> browser or screen bitmap is inherently very risky, security-wise.
>
> See Robert O'Callahan's blog post triggered by discussions of these 
> usecases at
> our recent Mozilla All-Hands:
> http://robert.ocallahan.org/2011/08/securing-full-screen.html
>
> This directly affects use-cases like WebEx (of course), remote 
> assistance, etc.
> We've glossed the security side of those so far.
This also is something that affects the W3 side of things more than it 
affects the IETF side of things; can I encourage people to join the W3C 
WEBRTC mailing list and take those discussions there?
>
> Note that these use-cases replace desktop or plugin installs which 
> implicitly gave
> the provider access to far more than just the screen, so from that 
> perspective
> screen access is actually a reduction in exposure.  However, there's a 
> definitive
> decision (whether well-informed or not) to install these apps, and 
> most of them
> (not all!) don't auto-update without asking; and you can un-install them.
>
> This once again as I've mentioned in some other cases wanders into the 
> same territory
> as WebApp installation, which we also talked about looking at for 
> handling "ongoing
> permissions" for camera/mic for services similar to Skype - tie it to 
> a user "install".
> Whether that's good enough, and how that actually works are good 
> questions.
>
Fully agree on the situation description.
Received on Monday, 26 September 2011 08:03:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 26 September 2011 08:03:15 GMT