- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Mon, 26 Sep 2011 10:02:35 +0200
- To: Randell Jesup <randell-ietf@jesup.org>
- CC: "rtcweb@ietf.org" <rtcweb@ietf.org>, public-webrtc@w3.org
On 09/25/2011 11:48 PM, Randell Jesup wrote: > This is an issue that impacts at a usecase we've been discussing: > access to the > browser or screen bitmap is inherently very risky, security-wise. > > See Robert O'Callahan's blog post triggered by discussions of these > usecases at > our recent Mozilla All-Hands: > http://robert.ocallahan.org/2011/08/securing-full-screen.html > > This directly affects use-cases like WebEx (of course), remote > assistance, etc. > We've glossed the security side of those so far. This also is something that affects the W3 side of things more than it affects the IETF side of things; can I encourage people to join the W3C WEBRTC mailing list and take those discussions there? > > Note that these use-cases replace desktop or plugin installs which > implicitly gave > the provider access to far more than just the screen, so from that > perspective > screen access is actually a reduction in exposure. However, there's a > definitive > decision (whether well-informed or not) to install these apps, and > most of them > (not all!) don't auto-update without asking; and you can un-install them. > > This once again as I've mentioned in some other cases wanders into the > same territory > as WebApp installation, which we also talked about looking at for > handling "ongoing > permissions" for camera/mic for services similar to Skype - tie it to > a user "install". > Whether that's good enough, and how that actually works are good > questions. > Fully agree on the situation description.
Received on Monday, 26 September 2011 08:03:14 UTC