Re: HbbTV and Web origins from Melvin Carvalho on 2015-05-02 (www-tag@w3.org from May 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 2 May 2015 13:49:32 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CAKaEYh+PrNypMN5ejWKKwAjR20MsKBK3=W8hC-5nzpmDuhTSig@mail.gmail.com>

On 27 April 2015 at 04:22, Mark Nottingham <mnot@mnot.net> wrote:

> This summary:
>
> http://blog.acolyer.org/2015/04/23/from-the-aether-to-the-ethernet-attacking-the-internet-using-broadcast-digital-television/
>
> of this paper:
>
> http://www.cs.columbia.edu/~angelos/Papers/2014/redbutton-usenix-sec14.pdf
>
> … makes for an interesting / scary read.
>
> I know that W3C has been engaging with various parts of the TV/broadcast
> community, but it seems like there's been a failure of some sort here, at
> least based on this; violating the origin model is pretty serious.
>
> Has there been any interaction between W3C and stakeholders there about
> this? It seems like we should have a liaison of some sort with DVB would
> help. It's also a timely reminder that as we get access to the Web in
> "things" — whether they be TVs, cars, refrigerators or whatever else,
> security (amongst many other properties of the Web) needs to be carefully
> guarded.
>

Thanks for sharing.  My initial reaction was to wonder how a system without
CORS protection could possibly make it to market.

Looking at the findings:

[[

Section 7 of the paper has an interesting breakdown of the economic costs
and benefits of different attacks assuming conservatively that the attack
compromises 10,000 hosts.

   - DDOS probably isn’t cost effective – you can already rent 20,000 hosts
   for a DDOS attack for about $5/hour.
   - Unauthenticated request forgery can be used for advertising click
   fraud, netting an estimate $2500 per attack even if each compromised host
   clicks on only a single ad.
   - Authenticated request forgery is even more valuable:

..according to [38] a verified Facebook account can retail for as much as
$1.50, giving the attacker a potential income of $15,000 per attack. Once
users begin using their Smart TVs for additional activities such as
shopping the impact of this attack will only grow…

]]

The main demerit seemed to be suggested was click fraud and stealing
facebook cookies.

However, historically it has been possible to steal facebook cookies as
they used HTTP and not HTTPS for a long time.

It seems clear that this system incorporated the web as the value of the
web increases with the number of connections, it's beneficial both to the
web and broadcast TV.  There is often the risk of taking security too far
(eg as we've seen with CORS blocking what are clearly public GET request),
and that in turn limiting the growth of the web, and reducing value.  It's
nice to be able to quantify some of the security threats, in relation to
that value.

>
> Cheers,
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

Received on Saturday, 2 May 2015 11:50:00 UTC