Re: [sensors] Security/privacy concerns beyond fingerprinting -- data exfiltration from Alexander Shalamov via GitHub on 2017-09-07 (public-device-apis-log@w3.org from September 2017)

From: Alexander Shalamov via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Sep 2017 07:40:08 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-327715929-1504769998-sysbot+gh@w3.org>

In addition to generic mitigation strategies for [Security and Privacy](https://w3c.github.io/sensors/#security-and-privacy) concerns, we've made [prelimenary analysis](https://github.com/w3c/ambient-light/issues/13#issuecomment-302393458) of the attack vector identified by @iknik and have rough estimation of required resolution limits that mitigates the risk.

In addition to that, we are investigating even higher resolution limits [(4bit)](https://docs.google.com/document/d/1XThujZ2VJm0z0Gon1zbFkYhYo6K8nMxJjxNJ3wk9KHo) for some of the sensors.

The PIN skimming attacks and cross-origin communication are addressed in [Security and Privacy](https://w3c.github.io/sensors/#security-and-privacy) section and implemented in Chrome.

In addition to integration with Permission API, sensors are only accessible to secure, focused, visible, top-level browsing contexts.

@wseltzer @anssiko Does the specification address raised issue?

-- 
GitHub Notification of comment by alexshalamov
Please view or discuss this issue at https://github.com/w3c/sensors/issues/182#issuecomment-327715929 using your GitHub account

Received on Thursday, 7 September 2017 07:40:06 UTC